Your message dated Thu, 2 May 2024 13:57:42 +0200 with message-id <[email protected]> and subject line has caused the Debian Bug report #862348, regarding fail2ban: fails to filter systemd ssh daemon entries form journal : typo to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 862348: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862348 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: fail2ban Version: 0.9.6-2 Severity: normal Dear Maintainer, I get, on a systemd/journald system: fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 1 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: it looks to me as though even if /var/log/auth.log is told, journald is properly made use of but fails per the service name on debian is ssh.service not sshd.service. locally I replaced sshd.service by ssh.service : from : journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd to : journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd and now fai2ban status sshd "filter" does not report as failed and I get blacklisted IPs. Best regards Alban -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 4.9.0-2-686-pae (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages fail2ban depends on: ii init-system-helpers 1.48 ii lsb-base 9.20161125 pn python3:any <none> Versions of packages fail2ban recommends: ii iptables 1.6.0+snapshot20161117-6 ii python 2.7.13-2 ii python3-pyinotify 0.9.6-1 ii python3-systemd 233-1 ii whois 5.2.14 Versions of packages fail2ban suggests: ii bsd-mailx [mailx] 8.1.2-0.20160123cvs-4 pn monit <none> ii rsyslog [system-log-daemon] 8.24.0-1 -- Configuration Files: /etc/fail2ban/action.d/shorewall.conf changed: [Definition] actionstart = actionstop = actioncheck = actionban = shorewall <blocktype> <ip> actionunban = shorewall allow <ip> [Init] blocktype = drop /etc/fail2ban/filter.d/sshd-ddos.conf changed: [INCLUDES] before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd /etc/fail2ban/filter.d/sshd.conf changed: [INCLUDES] before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sFailed \S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \d+)?(?: ssh\d*)?(?(cond_user):|(?:(?:(?! from ).)*)$) ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)s(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail(?: \[preauth\])?$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \d*)?(?: ssh\d*)? \[preauth\]$ ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$ ignoreregex = [Init] maxlines = 10 journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd -- no debconf information
--- End Message ---
--- Begin Message ---X-CrossAssassin-Score: 49100
--- End Message ---
