1

Looking through the sshd logs, there is a remote machine which appears to be attacking my server. here is an example of an entry. It is always the same IP.

May 8 17:57:32 [removed] sshd[99267]: Unable to negotiate with 37.49.226.19 port 42302: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

I have installed fail2ban, but it doesn't seem like it is blocking this IP.

How can I resolve this problem?

Improve this question
2
  • 2
    This seems tightly related to your previous question -- linking it in. Commented May 8, 2020 at 17:04
  • @JeffSchaller It is, although I'm got fail2ban working, and it is banning IPs when they fail with password attempts. Commented May 8, 2020 at 17:06

1 Answer 1

Reset to default
6

Normally fail2ban don't act on these kind of attacks, to make fail2ban act on these, you need to set the mode to aggressive in your jail in /etc/fail2ban/jail.local

like this:

[sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. enabled = true mode = aggressive port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s

for more protection you can perm ban persistant attackers with the recidive jail like this:

[recidive] enabled = true logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 1y findtime = 1d maxretry = 2

References:

https://github.com/fail2ban/fail2ban/pull/1209

https://wiki.archlinux.org/index.php/Fail2ban

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.