The fail2ban regex shows that work (at least shows matches).
Do you have any ignoreip?, because i got similar problem in fail2ban and
was my ignoreip (i'd used commas as separator instead spaces).
Greetings!!
El 25/11/14 a las 11:13, Greg McCarthy escribió:
I used to have F2B running on OpenSuse 13.1 which was working well.
Recently rebuild and gone up to OpenSuse 13.2 - after restoring the
same fail2ban config files and running a few tests, I am unable to get
f2b to ban IP addresses.
First OpenSuse 13.2 now uses journalctl so had to install rsyslogd -
so events are now logged to /var/log/messages:
2014-11-24T19:19:15.161609-05:00 suse sshd[26610]: Failed
keyboard-interactive/pam for root from 221.235.188.206 port 12478 ssh2
2014-11-24T19:19:15.379482-05:00 suse sshd[26627]: Postponed
keyboard-interactive for root from 221.235.188.206 port 15103 ssh2
[preauth]
2014-11-24T19:19:15.407958-05:00 suse sshd[26626]: Failed
keyboard-interactive/pam for root from 221.235.188.206 port 15097 ssh2
2014-11-24T19:19:15.742867-05:00 suse sshd[26626]: Postponed
keyboard-interactive for root from 221.235.188.206 port 15097 ssh2
[preauth]
2014-11-24T19:19:16.887324-05:00 suse sshd[26616]: Failed
keyboard-interactive/pam for root from 221.235.188.206 port 13317 ssh2
2014-11-24T19:19:17.268403-05:00 suse sshd[26638]: Postponed
keyboard-interactive for root from 221.235.188.206 port 16562 ssh2
[preauth]
My jail.local file:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected],
[email protected], sendername="Fail2Ban"]
logpath = /var/log/messages
maxretry = 5
I've run it through the fail2banregex:
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/messages
Results
=======
Failregex: 18738 total
|- #) [# of hits] regular expression
| 1) [12483] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[
*\d+\.\d+\] )?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for
.* from <HOST>( via \S+)?\s*$
| 2) [6] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*(?:error: PAM: )?User not known to the underlying
authentication module for .* from <HOST>\s*$
| 3) [6246] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[
*\d+\.\d+\] )?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*Failed \S+ for .*? from <HOST>(?: port \d*)?(?:
ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+
(?:[\da-f]{2}:){15}[\da-f]{2}(, client user ".*", client host
".*")?))?\s*$
| 5) [3] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [44445] ISO 8601
`-
Lines: 44445 lines, 0 ignored, 18738 matched, 25707 missed
Missed line(s): too many to print. Use --print-all-missed to print
all 25707 lines
Could it be a problem with the default regex in the filter.d/sshd.conf
file?
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
------------------------------------------------------------
Daniel Carrasco Marín
Técnicas Territoriales y Urbanas, S.L.
C/ Zurbano 92, 2º, 28003 Madrid
Tfno.: +34 91 571 93 46 (ext. 148) # Fax: +34 91 571 58 72
------------------------------------------------------------
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
