I used to have F2B running on OpenSuse 13.1 which was working well.
Recently rebuild and gone up to OpenSuse 13.2 - after restoring the same
fail2ban config files and running a few tests, I am unable to get f2b to ban IP
addresses.
First OpenSuse 13.2 now uses journalctl so had to install rsyslogd - so events
are now logged to /var/log/messages:
2014-11-24T19:19:15.161609-05:00 suse sshd[26610]: Failed
keyboard-interactive/pam for root from 221.235.188.206 port 12478 ssh2
2014-11-24T19:19:15.379482-05:00 suse sshd[26627]: Postponed
keyboard-interactive for root from 221.235.188.206 port 15103 ssh2 [preauth]
2014-11-24T19:19:15.407958-05:00 suse sshd[26626]: Failed
keyboard-interactive/pam for root from 221.235.188.206 port 15097 ssh2
2014-11-24T19:19:15.742867-05:00 suse sshd[26626]: Postponed
keyboard-interactive for root from 221.235.188.206 port 15097 ssh2 [preauth]
2014-11-24T19:19:16.887324-05:00 suse sshd[26616]: Failed
keyboard-interactive/pam for root from 221.235.188.206 port 13317 ssh2
2014-11-24T19:19:17.268403-05:00 suse sshd[26638]: Postponed
keyboard-interactive for root from 221.235.188.206 port 16562 ssh2 [preauth]
My jail.local file:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected],
[email protected], sendername="Fail2Ban"]
logpath = /var/log/messages
maxretry = 5
I've run it through the fail2banregex:
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/messages
Results
=======
Failregex: 18738 total
|- #) [# of hits] regular expression
| 1) [12483] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from
<HOST>( via \S+)?\s*$
| 2) [6] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*(?:error: PAM: )?User not known to the underlying authentication
module for .* from <HOST>\s*$
| 3) [6246] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*Failed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(:
(ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ (?:[\da-f]{2}:){15}[\da-f]{2}(,
client user ".*", client host ".*")?))?\s*$
| 5) [3] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [44445] ISO 8601
`-
Lines: 44445 lines, 0 ignored, 18738 matched, 25707 missed
Missed line(s): too many to print. Use --print-all-missed to print all 25707
lines
Could it be a problem with the default regex in the filter.d/sshd.conf file?
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
