Parser sshd for sshd "refused connect from" is missing per default

zoe · December 11, 2024, 4:00pm

Migrating from fal2ban I found out that fail2ban blocks sshd-Attempts, but crowdsec does not.

The Debian system has /etc/hosts.allow and /hosts.deny
fail2ban blocks hosts in the firewall which are denied by these files.
fail2ban has default rules.
This is the expected reaction.

My crowdsec uses default rules.
After investigation the detail ist the following:

cscli explain --log “2024-12-10T05:22:17.372710+00:00 myhost sshd[12345 ]: refused connect from foreign.host.com (1.2.3.4)” --type syslog --debug

shows that the log line is ignored and any next steps of crowdsec will not happen.
This is not the expected result and makes my crowdsec more unsave than my fal2ban.

Is there a default solution for this problem?

Thank you,
Zoe

iiAmLoz · December 16, 2024, 11:37am

Hey you are correct this is not handled by default, I just create a request to merge into the parser so the default collection will be able to parse these by default:

Cyrille37 · May 14, 2025, 9:43am

Hi
This feature has been merged enhance: Add sshd refused connection based on hosts.deny by LaurenceJJones · Pull Request #1192 · crowdsecurity/hub · GitHub

Thanks a lot for that really great tool and its community

Topic		Replies	Views
Sshd and google authenticator, parser fails?	3	853	March 3, 2022
I would like to create a specific sshd rule, but i am really a noob crowdsec	1	613	July 8, 2022
SSHD detection not working? crowdsec	27	2539	December 9, 2021
Sshd-logs parser: problems with log files	3	1895	November 10, 2022
New setup - right setup? crowdsec	4	1038	November 8, 2023

Parser sshd for sshd "refused connect from" is missing per default

Related topics