I would like to create a specific sshd rule, but i am really a noob

I am a complete noob regarding creation of crowdsec rules…

i have those logs regarding sshd attemps:

sshd[88934]: Unable to negotiate with xxx.xxx.xxx.xxx port 35026: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

How to create a rules for the bouncer to ban thos xxx IP when they use those kind of tricks…


This type of logs is not currently supported by the SSH parser, you will need to update it. You can have a look here to see how to create a new parser (in this case, you’ll likely want to modify the existing one, be aware that this will prevent it from being automatically updated when running cscli hub upgrade).

You will also likely need a new scenario to detect this new behaviour: Creating scenarios | CrowdSec