Hi,
I’m comparing crowdsec with fail2ban and find it seems much less effective for blocking failed ssh attempts.
on my machine I use google authenticator for 2 factor authentication. Can this be the cause of the parser failing?
looking at the decisions list I see just one or maybe 2 out of hundred ip that should have been blocked.
Any hints on how to fix this?
Thanks in advance
Michael
Example:
$ grep “Disconnected from invalid user” /var/log/auth.log | sort -u | tail
Feb 19 08:47:40 myhost sshd[3228]: Disconnected from invalid user facturacion 92.255.85.135 port 20432 [preauth]
Feb 19 09:05:23 myhost sshd[3255]: Disconnected from invalid user filial76 92.255.85.237 port 25884 [preauth]
Feb 19 09:24:20 myhost sshd[3285]: Disconnected from invalid user fiscal 92.255.85.237 port 17090 [preauth]
Feb 19 09:43:26 myhost sshd[3299]: Disconnected from invalid user francis 92.255.85.237 port 34378 [preauth]
Feb 19 10:00:28 myhost sshd[3321]: Disconnected from invalid user frank 92.255.85.135 port 34530 [preauth]
Feb 19 10:19:29 myhost sshd[3336]: Disconnected from invalid user ftp 92.255.85.237 port 20680 [preauth]
Feb 19 10:38:14 myhost sshd[3355]: Disconnected from invalid user ftp 92.255.85.135 port 26138 [preauth]
Feb 19 11:05:40 myhost sshd[3386]: Disconnected from invalid user ftp1 92.255.85.135 port 60734 [preauth]
Feb 19 11:24:14 myhost sshd[3423]: Disconnected from invalid user ftp1 92.255.85.237 port 23848 [preauth]
Feb 19 11:42:42 myhost sshd[4826]: Disconnected from invalid user ftp_id 92.255.85.135 port 36104 [preauth]
$ cscli explain --file /var/log/auth.log --type sshd | head -100
line: Feb 18 18:37:15 myhost sshd[1630]: User root from 193.239.232.101 not allowed because not listed in AllowUsers
├ s00-raw
| ├ 
crowdsecurity/non-syslog (first_parser)
| └ 
crowdsecurity/syslog-logs
├ s01-parse
| ├ crowdsecurity/pkexec-logs
| └ crowdsecurity/sshd-logs
└-------- parser failure
line: Feb 18 19:59:47 myhost sshd[1846]: Received disconnect from 92.255.85.135 port 35308:11: Bye Bye [preauth]
├ s00-raw
| ├ crowdsecurity/non-syslog (first_parser)
| └ crowdsecurity/syslog-logs
├ s01-parse
| ├ crowdsecurity/pkexec-logs
| └ crowdsecurity/sshd-logs
└-------- parser failure
line: Feb 18 18:29:52 myhost sshd[1589]: pam_unix(sshd:auth): check pass; user unknown
├ s00-raw
| ├ crowdsecurity/non-syslog (first_parser)
| └ crowdsecurity/syslog-logs
├ s01-parse
| ├ crowdsecurity/pkexec-logs
| └ crowdsecurity/sshd-logs
└-------- parser failure
line: Feb 18 18:52:08 myhost sshd(pam_google_authenticator)[1737]: Invalid verification code for cisco
├ s00-raw
| ├ crowdsecurity/non-syslog (first_parser)
| └ crowdsecurity/syslog-logs
├ s01-parse
| ├ crowdsecurity/pkexec-logs
| └ crowdsecurity/sshd-logs
└-------- parser failure
line: Feb 18 21:26:09 myhost sshd[1959]: error: kex_exchange_identification: Connection closed by remote host
├ s00-raw
| ├ crowdsecurity/non-syslog (first_parser)
| └ crowdsecurity/syslog-logs
├ s01-parse
| ├ crowdsecurity/pkexec-logs
| └ crowdsecurity/sshd-logs
└-------- parser failure
$ cscli decisions list
±—±---------±-----------------±---------------------±-------±--------±----------------------±-------±-------------------±---------+
| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID |
±—±---------±-----------------±---------------------±-------±--------±----------------------±-------±-------------------±---------+
| 1 | crowdsec | Ip:89.185.85.253 | crowdsecurity/ssh-bf | ban | RU | 39735 Permtelecom Ltd | 6 | 3h39m23.782335551s | 1 |
±—±---------±-----------------±---------------------±-------±--------±----------------------±-------±-------------------±---------+
