Parser sshd for sshd "refused connect from" is missing per default

zoe · December 11, 2024, 4:00pm

Migrating from fal2ban I found out that fail2ban blocks sshd-Attempts, but crowdsec does not.

The Debian system has /etc/hosts.allow and /hosts.deny
fail2ban blocks hosts in the firewall which are denied by these files.
fail2ban has default rules.
This is the expected reaction.

My crowdsec uses default rules.
After investigation the detail ist the following:

cscli explain --log “2024-12-10T05:22:17.372710+00:00 myhost sshd[12345 ]: refused connect from foreign.host.com (1.2.3.4)” --type syslog --debug

shows that the log line is ignored and any next steps of crowdsec will not happen.
This is not the expected result and makes my crowdsec more unsave than my fal2ban.

Is there a default solution for this problem?

Thank you,
Zoe

iiAmLoz · December 16, 2024, 11:37am

Hey you are correct this is not handled by default, I just create a request to merge into the parser so the default collection will be able to parse these by default:

Topic		Replies	Views
Sshd and google authenticator, parser fails?	3	839	March 3, 2022
I would like to create a specific sshd rule, but i am really a noob crowdsec	1	603	July 8, 2022
SSHD detection not working? crowdsec	27	2338	December 9, 2021
Sshd-logs parser: problems with log files	3	1629	November 10, 2022
New setup - right setup? crowdsec	4	941	November 8, 2023

Parser sshd for sshd "refused connect from" is missing per default

Related topics