"Lee Clemens wrote:" > > Also, It reads the log file you configure it to read. Providing more > information regarding your specific setup would be useful. Log lines, > jail configuration, etc
I tried using /var/log/journal/37a02967fe41491086922a957c45d552/system.journal and it found no matches out of 46416 lines after reverting to the original regex expression. That regex expression match the single line we listed by doing journalctl -ra and copying the line we used below. The filter is commented out as testing showed it not to be working. The jail.local file is: [DEFAULT] # bantime = 3600 bantime = 259200 #banaction= firewallcmd-ipset banaction= firewallcmd-new backend = systemd maxretry = 3 #sender = [email protected] #destmail = root@localhost #action = %(action_mwl)s # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 10.2.2.0/255.255.255.0 130.76.32.0/255.255.255.0 130.76.64.0/255.255.255.0 [sshd] enabled = true #filter = sshd-root > > On 01/18/2015 09:48 PM, David Highley wrote: > > "Lee Clemens wrote:" > >> This matches for me: > >> > >> $ fail2ban-regex "Jan 17 20:18:47 new-spruce sshd[19177]: Failed > >> password for root from 70.199.137.27 port 10835 ssh2" "Failed > >> (?:password|publickey) for root from <HOST>(?: port \d*)?(?: ssh\d*)?$" > >> > >> Note, I removed "%(__prefix_line)" from the regex supplied to > >> fail2ban-regex. > > We finally did get it to match by changing to this: > > failregex = (?: sshd\[\d+\]:)? Failed (?:password|publickey) for root > > from <HOST>(?: port \d*)?(?: ssh\d*)?$ > > > > However it still does not block root logins. We are using firewalld, > > fail2ban 0.9.1 on fedora 21. Fail2ban is working, just not the extra > > filter. Does anyone know how fail2ban works in this setup. Does it read > > journal log file or is it tied into systemd? > > > >> Regex syntax info can be found here: > >> https://docs.python.org/library/re.html > >> > >> > >> On 01/18/2015 12:27 AM, David Highley wrote: > >>> We found this filter on the web which is supposed to block root ssh > >>> logins: > >>> [INCLUDES] > >>> > >>> # Read common prefixes. If any customizations available -- read them from > >>> # common.local > >>> before = common.conf > >>> > >>> [Definition] > >>> > >>> _daemon = sshd > >>> > >>> failregex = ^%(__prefix_line)sFailed (?:password|publickey) for root from > >>> <HOST>(?: port \d*)?(?: ssh\d*)?$ > >>> > >>> ignoreregex = > >>> > >>> > >>> We are trying to adapt it to work with journalctl for use on fedora 21. > >>> The journalctl lines look like this: > >>> Jan 17 20:18:47 new-spruce sshd[19177]: Failed password for root from > >>> 70.199.137.27 port 10835 ssh2 > >>> > >>> We have been using fail2ban-regex to test the filter but we have no > >>> knowledge of the regex syntax that fail2ban uses. Any help would be > >>> greatly appreciated. > >>> > >>> ------------------------------------------------------------------------------ > >>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > >>> GigeNET is offering a free month of service with a new server in Ashburn. > >>> Choose from 2 high performing configs, both with 100TB of bandwidth. > >>> Higher redundancy.Lower latency.Increased capacity.Completely compliant. > >>> http://p.sf.net/sfu/gigenet > >>> _______________________________________________ > >>> Fail2ban-users mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >> > >> ------------------------------------------------------------------------------ > >> New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > >> GigeNET is offering a free month of service with a new server in Ashburn. > >> Choose from 2 high performing configs, both with 100TB of bandwidth. > >> Higher redundancy.Lower latency.Increased capacity.Completely compliant. > >> http://p.sf.net/sfu/gigenet > >> _______________________________________________ > >> Fail2ban-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >> > ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
