Lee, Based on a bug report and looking at other filters we changed the filter to look like this: [INCLUDES]
# Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)sFailed (?:password|publickey) for root from <HOST>(?: port \d*)?(?: ssh\d*)?$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=sshd.service maxretry = 1 When we test with one line like this the filter matches: fail2ban-regex "Feb 02 18:00:57 spruce sshd[30483]: Failed password for root from 222.161.4.147 port 56294 ssh2" /etc/fail2ban/filter.d/sshd-root.conf | less When we do the same test using jail.local it fails to match: fail2ban-regex "Feb 02 18:00:57 spruce sshd[30483]: Failed password for root from 222.161.4.147 port 56294 ssh2" /etc/fail2ban/jail.local | less Finally if we give it the journal log file it fails to match anything when using either the jail.local or the filter file. Let us know if this helps. Thanks again. > "Lee Clemens wrote:" > > > > I'd suggest trying fail2ban-regex - it accepts a path to a jail > > configuration as well (which can include backend = systemd). There isn't > > really enough info here for me to help too much more - I don't have any > > systems using systemd. The only binary logs I have are on my Windows > > machines. > > > > On 02/02/2015 03:38 PM, David Highley wrote: > > > Lee, > > > > > > "Lee Clemens wrote:" > > >> If it is simply the number of failed attempts that is an issue - > > >> maxretry should be set to 1 to ban after 1 failed attempt. > > > We did testing and never appeared to get blocked for trying to login as > > > root. Then if we change the maxretry setting to 1 in the filter does it > > > only apply to login attempts as root? Remember we know almost nothing > > > about using fail2ban at this point as it is our first time at using it. > > > Thanks again for all your help. > > > > > >> On 02/02/2015 01:17 PM, David Highley wrote: > > >>> "Lee Clemens wrote:" > > >>> We never saw anymore comments on the last information provided so we > > >>> assume you saw nothing wrong with the jail.local setting. > > >>> > > >>> We really need to get this working as the number of attempts to login > > >>> in as root given three tries ends up being way too many per day. We are > > >>> new to using fail2ban plus all the other changes we are taking on in > > >>> moving to Fedora 21 where logging is reduced to journalctl and new > > >>> firewall interface of firewalld all at once is creating a challenge. Our > > >>> goal is to have the filter ban on the first attempt to login as root. > > >>> > > >>> What most we need information on is how to debug this filter. We tried > > >>> as we said to just use the journal log file which the filter did not > > >>> have any matches. So can you hand a non ascii journal log file directly > > >>> to the test? If so, how do we increase the debug level to hopefully > > >>> figure out why it is not matching any of the input. We are also > > >>> challenged as none of us do Python scripting, but we did find some > > >>> examples in the documentation for fail2ban. Any help/pointers would be > > >>> very much appreciated and any if we determine that a change is needed we > > >>> will feed it back to the community. Thank you. > > >>> > > >>> For reference, jail.local: > > >>> [DEFAULT] > > >>> # bantime = 3600 > > >>> bantime = 259200 > > >>> #banaction= firewallcmd-ipset > > >>> banaction= firewallcmd-new > > >>> backend = systemd > > >>> maxretry = 3 > > >>> #sender = [email protected] > > >>> #destmail = root@localhost > > >>> #action = %(action_mwl)s > > >>> > > >>> # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban > > >>> will not > > >>> # ban a host which matches an address in this list. Several addresses > > >>> can be > > >>> # defined using space separator. > > >>> # ignoreip = 127.0.0.1/8 10.2.2.0/255.255.255.0 > > >>> 130.76.32.0/255.255.255.0 130.76.64.0/255.255.255.0 > > >>> > > >>> # > > >>> [sshd] > > >>> enabled = true > > >>> filter = sshd-root > > >>> > > >>> We also reverted the filter.d/sshd-root.conf file to: > > >>> [INCLUDES] > > >>> > > >>> # Read common prefixes. If any customizations available -- read them > > >>> from > > >>> # common.local > > >>> before = common.conf > > >>> > > >>> [Definition] > > >>> > > >>> _daemon = sshd > > >>> > > >>> failregex = ^%(__prefix_line)sFailed (?:password|publickey) for root > > >>> from <HOST>(?: port \d*)?(?: ssh\d*)?$ > > >>> > > >>> ignoreregex = > > >>> > > >>>> Also, It reads the log file you configure it to read. Providing more > > >>>> information regarding your specific setup would be useful. Log lines, > > >>>> jail configuration, etc > > >>>> > > >>>> On 01/18/2015 09:48 PM, David Highley wrote: > > >>>>> "Lee Clemens wrote:" > > >>>>>> This matches for me: > > >>>>>> > > >>>>>> $ fail2ban-regex "Jan 17 20:18:47 new-spruce sshd[19177]: Failed > > >>>>>> password for root from 70.199.137.27 port 10835 ssh2" "Failed > > >>>>>> (?:password|publickey) for root from <HOST>(?: port \d*)?(?: > > >>>>>> ssh\d*)?$" > > >>>>>> > > >>>>>> Note, I removed "%(__prefix_line)" from the regex supplied to > > >>>>>> fail2ban-regex. > > >>>>> We finally did get it to match by changing to this: > > >>>>> failregex = (?: sshd\[\d+\]:)? Failed (?:password|publickey) for root > > >>>>> from <HOST>(?: port \d*)?(?: ssh\d*)?$ > > >>>>> > > >>>>> However it still does not block root logins. We are using firewalld, > > >>>>> fail2ban 0.9.1 on fedora 21. Fail2ban is working, just not the extra > > >>>>> filter. Does anyone know how fail2ban works in this setup. Does it > > >>>>> read > > >>>>> journal log file or is it tied into systemd? > > >>>>> > > >>>>>> Regex syntax info can be found here: > > >>>>>> https://docs.python.org/library/re.html > > >>>>>> > > >>>>>> > > >>>>>> On 01/18/2015 12:27 AM, David Highley wrote: > > >>>>>>> We found this filter on the web which is supposed to block root ssh > > >>>>>>> logins: > > >>>>>>> [INCLUDES] > > >>>>>>> > > >>>>>>> # Read common prefixes. If any customizations available -- read > > >>>>>>> them from > > >>>>>>> # common.local > > >>>>>>> before = common.conf > > >>>>>>> > > >>>>>>> [Definition] > > >>>>>>> > > >>>>>>> _daemon = sshd > > >>>>>>> > > >>>>>>> failregex = ^%(__prefix_line)sFailed (?:password|publickey) for > > >>>>>>> root from <HOST>(?: port \d*)?(?: ssh\d*)?$ > > >>>>>>> > > >>>>>>> ignoreregex = > > >>>>>>> > > >>>>>>> > > >>>>>>> We are trying to adapt it to work with journalctl for use on fedora > > >>>>>>> 21. > > >>>>>>> The journalctl lines look like this: > > >>>>>>> Jan 17 20:18:47 new-spruce sshd[19177]: Failed password for root > > >>>>>>> from > > >>>>>>> 70.199.137.27 port 10835 ssh2 > > >>>>>>> > > >>>>>>> We have been using fail2ban-regex to test the filter but we have no > > >>>>>>> knowledge of the regex syntax that fail2ban uses. Any help would be > > >>>>>>> greatly appreciated. > > >>>>>>> > > >>>>>>> ------------------------------------------------------------------------------ > > >>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, > > >>>>>>> VA. > > >>>>>>> GigeNET is offering a free month of service with a new server in > > >>>>>>> Ashburn. > > >>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth. > > >>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely > > >>>>>>> compliant. > > >>>>>>> http://p.sf.net/sfu/gigenet > > >>>>>>> _______________________________________________ > > >>>>>>> Fail2ban-users mailing list > > >>>>>>> [email protected] > > >>>>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > >>>>>> ------------------------------------------------------------------------------ > > >>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > > >>>>>> GigeNET is offering a free month of service with a new server in > > >>>>>> Ashburn. > > >>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth. > > >>>>>> Higher redundancy.Lower latency.Increased capacity.Completely > > >>>>>> compliant. > > >>>>>> http://p.sf.net/sfu/gigenet > > >>>>>> _______________________________________________ > > >>>>>> Fail2ban-users mailing list > > >>>>>> [email protected] > > >>>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > >>>>>> > > >>> it is not matching any of the input. We are also challenged as none > > >>> of > > >>> us do Python scripting, but we did find some examples in the > > >>> documentation for fail2ban. Any help/pointers would be very much > > >>> appreciated and any if we determine that a change is needed we will > > >>> feed it back to the community. Thank you. > > > > > > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
