Jerry Stuckle <jstuckle@attglobal.net> writes:
<snipped previous context>
OK, that makes a lot of sense. However, there are two problems with
fail2ban, also. The first one is it requires an authentication failure.
Port probing will not trigger it (but recent can). The second being
it depends on log entries, which can be buffered. I have it monitoring
my email (smtp/imap/pop3) ports. Even though it is set to trigger after
two failures, I have seen as many as 50+ failures logged from the same
ip address within seconds before fail2ban is triggered.
To address your first problem with fail2ban, the sshd-ddos filter for
fail2ban does not require authentication failures. sshd will log a
message of the form "Did not receive identification string from <IP>" if
someone makes a TCP connection and then disconnects without going
through the SSH handshake.