# fail2ban - or something different?

## seVes

Hi guys,

i have a dedicated server, which contains several gameservers including a large forum.

I was going to protect this server and i think its working very well - so far.   :Wink: 

iptables is looking good, same as fail2ban but finally i have one more thing what i want to solve.

How can i ban/drop the current connections to my openssh?

It allows only a range of specific users, a highly setup from ciphers and publickey.

password-auth is disabled.

Someone (IP varies) try to connect or ddos or whatever (i dont know), but i want to keep them off.   :Razz: 

auth.log

```

2014-05-15T21:55:56.685478+02:00 localhost sshd[948]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-56124;Protocol: 2.0;Client: libssh-0.2

2014-05-15T21:55:56.982864+02:00 localhost sshd[948]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-56124;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]

2014-05-15T21:55:57.953608+02:00 localhost sshd[948]: Bad packet length 1048896806. [preauth]

2014-05-15T21:57:42.979844+02:00 localhost sshd[1031]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-38580;Protocol: 2.0;Client: libssh-0.2

2014-05-15T21:57:43.279260+02:00 localhost sshd[1031]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-38580;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]

2014-05-15T21:57:44.254027+02:00 localhost sshd[1031]: Bad packet length 2415357948. [preauth]

2014-05-15T21:59:31.060305+02:00 localhost sshd[1125]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-49271;Protocol: 2.0;Client: libssh-0.2

2014-05-15T21:59:31.356239+02:00 localhost sshd[1125]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-49271;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]

2014-05-15T21:59:32.323148+02:00 localhost sshd[1125]: Bad packet length 3256658487. [preauth]

2014-05-15T22:01:20.377066+02:00 localhost sshd[1320]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-59956;Protocol: 2.0;Client: libssh-0.2

2014-05-15T22:01:20.678677+02:00 localhost sshd[1320]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-59956;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]

2014-05-15T22:01:21.660952+02:00 localhost sshd[1320]: Bad packet length 4235625523. [preauth]

```

Is there a way to make a regex for fail2ban which matches 2 lines instead of one? Because the banning ip is in the above line, while the match-code (bad packet length) is in the second?

Or did you know some other ways?

THANKS for helping!

----------

## Maitreya

You should have a a look at sshguard, it is in portage too!

[ur]http://www.sshguard.net/[/url]

----------

## 666threesixes666

look at the wikis for both packages.  i told the douche nozzles up stream about it and they told me to shove it.  i warned arch about this behavior of fail2ban also.  its a good idea but they've repeatedly ran into that.  the issue is years old.....  years....

https://wiki.gentoo.org/wiki/Sshguard

https://wiki.gentoo.org/wiki/Fail2ban

----------

