If you have tcp/5038 open you will likley get loglines like:-
SECURITY[1918] res_security_log.c:
SecurityEvent="InvalidAccountID",EventTV="1435677997-293779",Severity="Error",Service="AMI",EventVersion="1",AccountID="manager",SessionID="0x7f4c3c7ceac0",LocalAddress="IPV4/TCP/
0.0.0.0/5038",RemoteAddress="IPV4/TCP/58.252.4.117/35995",SessionTV="0-0"
SECURITY[2188] res_security_log.c:
SecurityEvent="FailedACL",EventTV="1435495355-169186",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7f47c00020b8",LocalAddress="IPV4/TCP/
0.0.0.0/5038",RemoteAddress="IPV4/TCP/58.252.4.117/40738",SessionTV="0-0"
I would suggest perhaps the regex to include them:-
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?(,SessionTV="\w+")$
Comments?
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
