Is it safe to apply fail2ban on sshd "Received disconnect/Disconnected ... [preauth]" logs?

ssh fail2ban debian-buster

There is no corresponding rule in /etc/fail2ban/filter.d/sshd.conf, so these attempts don't cause fail2ban to ban the offending IP address.

What version are you using? Fail2Ban comes with a predefined rule about this, included in the common failregex used by all modes.

Fail2Ban v0.10.2 in one of my systems includes this rule:

^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:

And Fail2Ban v0.11.2 includes this one (which is better):

^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:

Apparently the developers thought that any of the following lines

Received disconnect from <HOST>: 11:
Received disconnect from <HOST> port XXXXX:11:

will suffice. The relevant keywords being Received disconnect from and the : 11: part (instead of the [preauth] suffix).

The <F-NOFAIL> means that this line isn't a failure and will expect another match without <F-NOFAIL> to ban the IP, so you will have to remove the surrounding tags.


Is it safe for me to add a Regexp matching some of those lines, or would I risk matching legitimate (key based) login attempts ? Which parts would make a safe combination ? Would matching the words "Disconnected" and the tag "[preauth]" necessarily indicate a failed password-based brute force ?

A legitimate successful connection and authentication does not trigger such log lines. These entries can come from scanners, which do not cause harm, but can be be blocked as well. preauth means, those clients did not start authentication yet.

Even if you yourself cause a failed login, either by using wrong keys or mistyping the password, using fail2ban is still okay. fail2ban only blocks after a configurable number of matching log lines and only for a certain time frame.

You can use this snippet (e.g. as cmdfailre) in Debian buster:

^Received disconnect from <HOST>%(__on_port_opt)s:11: \s* %(__suff)s$
^Disconnected from authenticating user <F-USER>.*?</F-USER> <HOST>%(__on_port_opt)s %(__suff)s$

Related

Define default container when using sidecar container
SSH tunnels with multiple outbound IPs
No SPF record on secondary DNS
rsync for backup but don't want to wipe ( not erase ) drive
SSLProtocol: Illegal protocol 'TLSv1.2'
Simple respond_with in rails that avoids 204 from PUT
How to do a "local-only commit" in git?
RequireJS - What is the purpose of the "exports" property in shim
SQLite Syntax for Creating Table with Foreign Key
Mockito and Hamcrest: how to verify invocation of Collection argument?
How to access the subdomain of an IP address in the browser?
Send a log to Crashlytics without an app crash