This matches for me: $ fail2ban-regex "Jan 17 20:18:47 new-spruce sshd[19177]: Failed password for root from 70.199.137.27 port 10835 ssh2" "Failed (?:password|publickey) for root from <HOST>(?: port \d*)?(?: ssh\d*)?$"
Note, I removed "%(__prefix_line)" from the regex supplied to fail2ban-regex. Regex syntax info can be found here: https://docs.python.org/library/re.html On 01/18/2015 12:27 AM, David Highley wrote: > We found this filter on the web which is supposed to block root ssh > logins: > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them from > # common.local > before = common.conf > > [Definition] > > _daemon = sshd > > failregex = ^%(__prefix_line)sFailed (?:password|publickey) for root from > <HOST>(?: port \d*)?(?: ssh\d*)?$ > > ignoreregex = > > > We are trying to adapt it to work with journalctl for use on fedora 21. > The journalctl lines look like this: > Jan 17 20:18:47 new-spruce sshd[19177]: Failed password for root from > 70.199.137.27 port 10835 ssh2 > > We have been using fail2ban-regex to test the filter but we have no > knowledge of the regex syntax that fail2ban uses. Any help would be > greatly appreciated. > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
