Re: [Fail2ban-users] IP's not being blocked on OpenSuse 13.2

[Daniel Carrasco Marín]

Good to know it ;)

Greetings!!
El 25/11/14 a las 12:28, Greg McCarthy escribió:
It looks like it might be working now - after some more googling I 
found a post where someone added this:

sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' 
/etc/rsyslog.conf


I've added that now and it seems IP are being blocked:

Status for the jail: ssh-iptables
|- filter
|  |- File list:        /var/log/messages
|  |- Currently failed: 1
|  `- Total failed:     11
`- action
   |- Currently banned: 2
   |  `- IP list:       59.175.148.3 133.242.23.126
   `- Total banned:     2


------------------------------------------------------------------------
Date: Tue, 25 Nov 2014 11:35:49 +0100
From: d.carra...@ttu.es
To: fail2ban-users@lists.sourceforge.net
Subject: Re: [Fail2ban-users] IP's not being blocked on OpenSuse 13.2

The fail2ban regex shows that work (at least shows matches).
Do you have any ignoreip?, because i got similar problem in fail2ban 
and was my ignoreip (i'd used commas as separator instead spaces).

Greetings!!

El 25/11/14 a las 11:13, Greg McCarthy escribió:

    I used to have F2B running on OpenSuse 13.1 which was working well.

    Recently rebuild and gone up to OpenSuse 13.2 - after restoring
    the same fail2ban config files and running a few tests, I am
    unable to get f2b to ban IP addresses.

    First OpenSuse 13.2 now uses journalctl so had to install rsyslogd
    - so events are now logged to /var/log/messages:

    2014-11-24T19:19:15.161609-05:00 suse sshd[26610]: Failed
    keyboard-interactive/pam for root from 221.235.188.206 port 12478 ssh2
    2014-11-24T19:19:15.379482-05:00 suse sshd[26627]: Postponed
    keyboard-interactive for root from 221.235.188.206 port 15103 ssh2
    [preauth]
    2014-11-24T19:19:15.407958-05:00 suse sshd[26626]: Failed
    keyboard-interactive/pam for root from 221.235.188.206 port 15097 ssh2
    2014-11-24T19:19:15.742867-05:00 suse sshd[26626]: Postponed
    keyboard-interactive for root from 221.235.188.206 port 15097 ssh2
    [preauth]
    2014-11-24T19:19:16.887324-05:00 suse sshd[26616]: Failed
    keyboard-interactive/pam for root from 221.235.188.206 port 13317 ssh2
    2014-11-24T19:19:17.268403-05:00 suse sshd[26638]: Postponed
    keyboard-interactive for root from 221.235.188.206 port 16562 ssh2
    [preauth]

    My jail.local file:


    [ssh-iptables]

    enabled  = true
    filter   = sshd
    action   = iptables[name=SSH, port=ssh, protocol=tcp]
               sendmail-whois[name=SSH, dest=mym...@gmail.com
    <mailto:dest=mym...@gmail.com>, sender=mym...@gmail.com
    <mailto:sender=mym...@gmail.com>, sendername="Fail2Ban"]
    logpath  = /var/log/messages
    maxretry = 5

    I've run it through the fail2banregex:

    Running tests
    =============

    Use   failregex file : /etc/fail2ban/filter.d/sshd.conf
    Use         log file : /var/log/messages


    Results
    =======

    Failregex: 18738 total
    |-  #) [# of hits] regular expression
    |   1) [12483] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[
    *\d+\.\d+\] )?(?:@vserver_\S+
    
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
    \d+ \S+\])?\s*(?:error: PAM: )?[aA]uthentication (?:failure|error)
    for .* from <HOST>( via \S+)?\s*$
    |   2) [6] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[
    *\d+\.\d+\] )?(?:@vserver_\S+
    
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
    \d+ \S+\])?\s*(?:error: PAM: )?User not known to the underlying
    authentication module for .* from <HOST>\s*$
    |   3) [6246] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[
    *\d+\.\d+\] )?(?:@vserver_\S+
    
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
    \d+ \S+\])?\s*Failed \S+ for .*? from <HOST>(?: port \d*)?(?:
    ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+
    (?:[\da-f]{2}:){15}[\da-f]{2}(, client user ".*", client host
    ".*")?))?\s*$
    |   5) [3] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[
    *\d+\.\d+\] )?(?:@vserver_\S+
    
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
    \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
    `-

    Ignoreregex: 0 total

    Date template hits:
    |- [# of hits] date format
    |  [44445] ISO 8601
    `-

    Lines: 44445 lines, 0 ignored, 18738 matched, 25707 missed
    Missed line(s): too many to print.  Use --print-all-missed to
    print all 25707 lines


    Could it be a problem with the default regex in the
    filter.d/sshd.conf file?





    
------------------------------------------------------------------------------
    Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
    from Actuate! Instantly Supercharge Your Business Reports and Dashboards
    with Interactivity, Sharing, Native Excel Exports, App Integration & more
    Get technology previously reserved for billion-dollar corporations, FREE
    http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk



    _______________________________________________
    Fail2ban-users mailing list
    Fail2ban-users@lists.sourceforge.net  
<mailto:Fail2ban-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
------------------------------------------------------------
Daniel Carrasco Marín
  
Técnicas Territoriales y Urbanas, S.L.
C/ Zurbano 92, 2º, 28003 Madrid
Tfno.: +34 91 571 93 46 (ext. 148) # Fax: +34 91 571 58 72
------------------------------------------------------------

------------------------------------------------------------------------------ 
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from 
Actuate! Instantly Supercharge Your Business Reports and Dashboards 
with Interactivity, Sharing, Native Excel Exports, App Integration & 
more Get technology previously reserved for billion-dollar 
corporations, FREE 
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________ Fail2ban-users mailing 
list Fail2ban-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
------------------------------------------------------------
Daniel Carrasco Marín
 
Técnicas Territoriales y Urbanas, S.L.
C/ Zurbano 92, 2º, 28003 Madrid
Tfno.: +34 91 571 93 46 (ext. 148) # Fax: +34 91 571 58 72
------------------------------------------------------------

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users