More fail2ban questions

Chong Yu Meng chongym
Fri Aug 4 09:41:46 PDT 2006 

On Thu, 2006-08-03 at 06:52 -0500, David Bandel wrote:

> ignoreip should be IPs you don't want banned.  My management addresses
> are all listed there.
> 
Ok, thanks ! So I can actually leave that setting empty.

> yep.  But unless he's source routing (which you shouldn't allow), his
> attempts are for naught.
> 
Yup, he's not getting in! But just now, I noticed something rather odd:
fail2ban seems to work for almost all cases except one. I have the
following inside my /var/log/secure:

Aug  4 11:17:11 saiwanho sshd[29457]: Failed password for root from
210.21.24.13 port 33088 ssh2
Aug  4 11:17:11 saiwanho sshd[29457]: Received disconnect from
210.21.24.13: 11: Bye Bye
Aug  4 11:17:12 saiwanho sshd[29461]: Failed password for root from
210.21.24.13 port 33101 ssh2
Aug  4 11:17:12 saiwanho sshd[29461]: Received disconnect from
210.21.24.13: 11: Bye Bye
Aug  4 11:17:12 saiwanho sshd[29465]: Failed password for root from
210.21.24.13 port 33144 ssh2
Aug  4 11:17:12 saiwanho sshd[29465]: Received disconnect from
210.21.24.13: 11: Bye Bye
Aug  4 11:17:12 saiwanho sshd[29469]: Failed password for root from
210.21.24.13 port 33163 ssh2
Aug  4 11:17:12 saiwanho sshd[29469]: Received disconnect from
210.21.24.13: 11: Bye Bye
Aug  4 11:17:13 saiwanho sshd[29473]: Failed password for root from
210.21.24.13 port 33177 ssh2
Aug  4 11:17:13 saiwanho sshd[29473]: Received disconnect from
210.21.24.13: 11: Bye Bye
Aug  4 11:17:13 saiwanho sshd[29477]: Failed password for root from
210.21.24.13 port 33220 ssh2
Aug  4 11:17:13 saiwanho sshd[29477]: Received disconnect from
210.21.24.13: 11: Bye Bye

Somehow, fail2ban leaves this IP address 210.21.24.13 alone, i.e. does
not ban it. I've checked the IP address, and it seems to be a HK server
that does port scans. Or is there a reason why the IP is ignored -- eg.
the port it probes, etc.?

Thanks in advance !

-- 
Pascal Chong 
email:  chongym at cymulacrum.net 
web:    http://cymulacrum.net
pgp:    http://cymulacrum.net/pgp/cymulacrum.asc

"La science ne conna?t pas de fronti?re parce que la connaissance
appartient ? l?humanit?. et que c?est la flamme qui illumine le monde."

-- Louis Pasteur
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20060805/eb049e58/attachment.pgp

More information about the Linux-users mailing list