On 02/02/2015 11:33 PM, David Highley wrote: > Lee, > > Based on a bug report and looking at other filters we changed the > filter to look like this: > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them from > # common.local > before = common.conf > > [Definition] > > _daemon = sshd > > failregex = ^%(__prefix_line)sFailed (?:password|publickey) for root from > <HOST>(?: port \d*)?(?: ssh\d*)?$ > > ignoreregex = > > [Init] > > journalmatch = _SYSTEMD_UNIT=sshd.service > > maxretry = 1 > > When we test with one line like this the filter matches: > fail2ban-regex "Feb 02 18:00:57 spruce sshd[30483]: Failed password for root > from 222.161.4.147 port 56294 ssh2" /etc/fail2ban/filter.d/sshd-root.conf | > less > > When we do the same test using jail.local it fails to match: > fail2ban-regex "Feb 02 18:00:57 spruce sshd[30483]: Failed password for root > from 222.161.4.147 port 56294 ssh2" /etc/fail2ban/jail.local | less I was mistaken, you are correct to supply the filter, not the jail, to `fail2ban-regex`. > Finally if we give it the journal log file it fails to match anything > when using either the jail.local or the filter file. > > Let us know if this helps. Thanks again. > >
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
