# com.jcraft.jsch ssh attempts - fail2ban?

## audiodef

I see this in /var/log/messages:

```

Jan 17 00:07:48 (servername) sshd[28590]: error: Received disconnect from 85.111.38.130 port 55986:3: com.jcraft.jsch.JSchException: Auth fail [preauth]

```

What is this? Found something about ssh over java. Since I don't do that, I'm thinking I'd like to have a fail2ban jail monitor for this and ban IP addresses doing this. How would I write such a jail?

----------

## eccerr0r

I believe that string is user defined before they disconnect...   Since they already tried to connect, the damage is already done.

I don't think it really matters what they put there, it's all not authorized.

These are the close strings of the last thousand or so ssh disconnects I had on my server

```
    376  Bye Bye [preauth]

      1  Closed due to user request.

    167  Closed due to user request. [preauth]

     83  disconnected by user

      4  disconnect [preauth]

      5  java.net.SocketTimeoutException: Read timed out [preauth]

      1  PECL/ssh2 (AITCHTEETEEPEE:pecl.php.net/packages/ssh2) [preauth]

    814   [preauth]

      2  User request [preauth]

```

note that AITCHTEETEEPEE: is http:// in my logfile, and I didn't want it to autolink and pollute google.  note that the vast majority is "blank" ... not much can be done to filter these.  (and I would suspect some of these may be me aborting my own ssh connections.)

----------

