Bug#452396: fail2ban fails to parse /var/log/auth.log

Thu, 22 Nov 2007 09:24:07 -0800 

0.7.5-2 in etch must be capable to parse that line. Here it is:

,--
| (git)~.m/deb/gits/fail2ban:[tags/debian/0.7.5-2full]
| $> fail2ban-regex 'Failed password for chloe from 12.34.56.78 port 58531 
ssh2' '(?:(?:Authentication failure|Failed [-/\w+]+) for(?: 
[iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) 
.*(?: from|FROM) <HOST>'
|
| Running tests
| =============
|
| Use regex line : (?:(?:Authentication failure|Failed [-/\w+]+) for(...
| Use single line: Failed password for chloe from 12.34.56.78 port 58...
|
| Found a match but no valid date/time found for Failed password for chloe from 
12.34.56.78 port 58531 ssh2. Please contact the author in order to get support 
for this format
|
| Results
| =======
|
| Failregex
| |- Regular expressions:
| |  [1] (?:(?:Authentication failure|Failed [-/\w+]+) for(?: 
[iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) 
.*(?: from|FROM) <HOST>
| |
| `- Number of matches:
|    [1] 0 match(es)
|
`---

Since regexp in sshd filter is not anchored at the end -- fail2ban
should be fine without explicit port ssh2 suffix.Tentative security fix
will have those 'ending' suffixes.

I would like to close this bug. unless you confirm that indeed it fails
due to incorrect regexp or some other cause: sample of auth.log +
corresponding fail2ban.log lines for the same date/times would prove
that something is going wrong. Also if having your failregex does fix
the problem for you it is interesting to have your complete original
(vanilla) sshd.conf and then after your modification.


Thanks in advance

On Thu, 22 Nov 2007, ChloƩ Desoutter wrote:

> Package: fail2ban
> Version: 0.7.5-2
> Severity: important
> Tags: patch
-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to