Hi,
Here comes:
# Fail2Ban filter for openssh
#
# If you want to protect OpenSSH from being bruteforced by password
# authentication then get public key authentication working before
disabling
# PasswordAuthentication in sshd_config.
#
#
# "Connection from port d+" requires LogLevel VERBOSE in sshd_config
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them
from
# common.local
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication
(?:failure|error) for .* from ( via S+)?s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying
authentication module for .* from s*$
^%(__prefix_line)sFailed S+ for .*? from (?: port d*)?(?: sshd*)?(:
(ruser .*|(S+ ID S+ (serial d+) CA )?S+ %(__md5hex)s(, client user ".*", client
host ".*")?))?s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from s*$
^%(__prefix_line)sUser .+ from not allowed because not listed in
AllowUserss*$
^%(__prefix_line)sUser .+ from not allowed because listed in
DenyUserss*$
^%(__prefix_line)sUser .+ from not allowed because not in any groups*$
^%(__prefix_line)srefused connect from S+ ()s*$
^%(__prefix_line)sReceived disconnect from : 3: S+: Auth fail$
^%(__prefix_line)sUser .+ from not allowed because a group is listed
in DenyGroupss*$
^%(__prefix_line)sUser .+ from not allowed because none of user's
groups are listed in AllowGroupss*$
^(?P%(__prefix_line)s)User .+ not allowed because account is
locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ [preauth]$
^(?P%(__prefix_line)s)Disconnecting: Too many authentication failures
for .+? [preauth](?P=__prefix)(?:error: )?Connection closed by [preauth]$
^(?P%(__prefix_line)s)Connection from port d+(?: on S+ port
d+)?(?P=__prefix)Disconnecting: Too many authentication failures for .+?
[preauth]$
ignoreregex =
[Init]
# "maxlines" is number of log lines to buffer for multi-line regex
searches
maxlines = 10
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
# DEV Notes:
#
# "Failed S+ for .*? from ..." failregex uses non-greedy catch-all
because
# it is coming before use of which is not hard-anchored at the end as
well,
# and later catch-all's could contain user-provided input, which need
to be greedily
# matched away first.
#
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
------
Br,
Ville
August 21 2015 4:42 PM, "Harrison Johnson" wrote:
Your welcome,
in the folder /etc/fail2ban/filter.d you should have a file named
ssh-iptables.conf
It will be helpful to see that file.
On Fri, 2015-08-21 at 05:15 +0000, [email protected]
(mailto:[email protected]) wrote:
Hi,
and thank you for reply. As wrote my ssh-iptables.conf is:
-----------------------
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 2
bantime = 86400
-----------------------
BR,
Ville
August 21 2015 7:17 AM, "Harrison Johnson" wrote: What is in your
ssh-iptables.conf ?
On Thu, 2015-08-20 at 16:06 +0000, [email protected]
(mailto:[email protected]) wrote:
Hi all,
and thank you for great product.
I have installed fail2ban in my new centos 7 server and there seems to be some
problems. Trigger works fine, but
after trigger should do something fail2ban gives some errors for ip-address.
Any suggestion how to fix this?
My sshd:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 2
bantime = 86400
-------
My log:
2015-08-20 13:20:34,875 fail2ban.server [6735]: INFO Changed logging target to
/var/log/fail2ban.log for Fail2ban v0.9.1
2015-08-20 13:20:34,877 fail2ban.database [6735]: INFO Connected to fail2ban
persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-08-20 13:20:34,882 fail2ban.jail [6735]: INFO Creating new jail
'ssh-iptables'
2015-08-20 13:20:34,886 fail2ban.jail [6735]: INFO Jail 'ssh-iptables' uses
poller
2015-08-20 13:20:34,914 fail2ban.filter [6735]: INFO Set jail log file encoding
to UTF-8
2015-08-20 13:20:34,914 fail2ban.jail [6735]: INFO Initiated 'polling' backend
2015-08-20 13:20:34,923 fail2ban.filter [6735]: INFO Added logfile =
/var/log/secure
2015-08-20 13:20:34,924 fail2ban.filter [6735]: INFO Set maxRetry = 2
2015-08-20 13:20:34,926 fail2ban.filter [6735]: INFO Set jail log file encoding
to UTF-8
2015-08-20 13:20:34,926 fail2ban.actions [6735]: INFO Set banTime = 86400
2015-08-20 13:20:34,927 fail2ban.filter [6735]: INFO Set findtime = 600
2015-08-20 13:20:34,928 fail2ban.filter [6735]: INFO Set maxlines = 10
2015-08-20 13:20:35,002 fail2ban.server [6735]: INFO Jail ssh-iptables is not a
JournalFilter instance
2015-08-20 13:20:36,699 fail2ban.jail [6735]: INFO Jail 'ssh-iptables' started
2015-08-20 13:21:29,344 fail2ban [6735]: CRITICAL Unhandled exception in
Fail2Ban:
Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/jailthread.py",
line 64, in run_with_except_hook
run(*args, **kwargs)
File
"/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/filterpoll.py",
line 95, in run
self.getFailures(filename)
File
"/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/filter.py",
line 682, in getFailures
self.processLineAndAdd(line)
File
"/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/filter.py",
line 421, in processLineAndAdd
if self.inIgnoreIPList(ip):
File
"/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/filter.py",
line 363, in inIgnoreIPList
"(?
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
