# A question about fail2ban filters

## marckn

Hi everyone, 

I've just moved to fail2ban+iptables after my old server died (wow, now I'm really leaving old x86_32 behind) 

Now... I think it works like a charm but I see that fail2ban is not detecting preauth:

```

May 16 04:56:43 nas sshd[11460]: SSH: Server;Ltype: Version;Remote: 222.89.166.12-60200;Protocol: 2.0;Client: PUTTY

May 16 04:56:44 nas sshd[11460]: SSH: Server;Ltype: Kex;Remote: 222.89.166.12-60200;Enc: aes128-ctr;MAC: hmac-sha1;Comp: none [preauth]

May 16 04:56:45 nas sshd[11460]: Received disconnect from 222.89.166.12: 11:  [preauth]

```

I guess this is not really a failed login attempt and so it is not considered as a threat but, I'd like to make sure of this point. So, what's happening exactly when I get these three entries 

in my log? Is it still a malicious action coming from someone? If so, what's the point? Just probing ? And if it's malicious and s/he is probing, why not ban him outright?

Just a curiosity.... I don't think the cutting-edge, world-changing technologies being developed in my home network are in danger of being exposed   :Laughing:   :Laughing: 

Bye,

   Marco

----------

