Looks normal! CentOS is built form Red Hat if memory serves me and that
means it is most likely running systemd so change the line in the
openssh.conf for
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
to
journalmatch =
On Fri, 2015-08-21 at 14:14 +0000, [email protected] wrote:
> Hi,
>
> Here comes:
>
>
> # Fail2Ban filter for openssh
>
> #
>
> # If you want to protect OpenSSH from being bruteforced by password
>
> # authentication then get public key authentication working before
> disabling
>
> # PasswordAuthentication in sshd_config.
>
> #
>
> #
>
> # "Connection from <HOST> port \d+" requires LogLevel VERBOSE in
> sshd_config
>
> #
>
> [INCLUDES]
>
> # Read common prefixes. If any customizations available -- read them
> from
>
> # common.local
>
> before = common.conf
>
> [Definition]
>
> _daemon = sshd
>
> failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication
> (?:failure|error) for .* from <HOST>( via \S+)?\s*$
>
> ^%(__prefix_line)s(?:error: PAM: )?User not known to the
> underlying authentication module for .* from <HOST>\s*$
>
> ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port
> \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+
> %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
>
> ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
>
> ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from
> <HOST>\s*$
>
> ^%(__prefix_line)sUser .+ from <HOST> not allowed because
> not listed in AllowUsers\s*$
>
> ^%(__prefix_line)sUser .+ from <HOST> not allowed because
> listed in DenyUsers\s*$
>
> ^%(__prefix_line)sUser .+ from <HOST> not allowed because
> not in any group\s*$
>
> ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
>
> ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+:
> Auth fail$
>
> ^%(__prefix_line)sUser .+ from <HOST> not allowed because
> a group is listed in DenyGroups\s*$
>
> ^%(__prefix_line)sUser .+ from <HOST> not allowed because
> none of user's groups are listed in AllowGroups\s*$
>
> ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed
> because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received
> disconnect from <HOST>: 11: .+ \[preauth\]$
>
> ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many
> authentication failures for .+? \[preauth
> \]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST>
> \[preauth\]$
>
> ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST>
> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting:
> Too many authentication failures for .+? \[preauth\]$
>
> ignoreregex =
>
> [Init]
>
> # "maxlines" is number of log lines to buffer for multi-line regex
> searches
>
> maxlines = 10
>
> journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
>
> # DEV Notes:
>
> #
>
> # "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy
> catch-all because
>
> # it is coming before use of <HOST> which is not hard-anchored at
> the end as well,
>
> # and later catch-all's could contain user-provided input, which
> need to be greedily
>
> # matched away first.
>
> #
>
> # Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel
> Black
>
> ------
>
> Br,
>
> Ville
>
>
>
> August 21 2015 4:42 PM, "Harrison Johnson" <[email protected]>
> wrote:
>
> Your welcome,
> in the folder /etc/fail2ban/filter.d you should have a file
> named ssh-iptables.conf
> It will be helpful to see that file.
>
> On Fri, 2015-08-21 at 05:15 +0000, [email protected] wrote:
>
>
> > Hi,
> >
> > and thank you for reply. As wrote my ssh-iptables.conf is:
> >
> > -----------------------
> > [ssh-iptables]
> >
> > enabled = true
> >
> > filter = sshd
> >
> > action = iptables[name=SSH, port=ssh, protocol=tcp]
> >
> > logpath = /var/log/secure
> >
> > maxretry = 2
> >
> > bantime = 86400
> > -----------------------
> >
> > BR,
> >
> > Ville
> >
> >
> > August 21 2015 7:17 AM, "Harrison Johnson"
> > <[email protected]> wrote:
>
>
>
> > What is in your ssh-iptables.conf ?
> >
> > On Thu, 2015-08-20 at 16:06 +0000,
> > [email protected] wrote:
> >
> >
> > > Hi all,
> > >
> > > and thank you for great product.
> > >
> > > I have installed fail2ban in my new centos 7
> > > server and there seems to be some problems.
> > > Trigger works fine, but
> > > after trigger should do something fail2ban gives
> > > some errors for ip-address. Any suggestion how to
> > > fix this?
> > >
> > > My sshd:
> > >
> > > [ssh-iptables]
> > >
> > > enabled = true
> > >
> > > filter = sshd
> > >
> > > action = iptables[name=SSH, port=ssh,
> > > protocol=tcp]
> > >
> > > logpath = /var/log/secure
> > >
> > > maxretry = 2
> > >
> > > bantime = 86400
> > >
> > > -------
> > >
> > > My log:
> > >
> > >
> > >
> > > 2015-08-20 13:20:34,875 fail2ban.server
> > > [6735]: INFO Changed logging target
> > > to /var/log/fail2ban.log for Fail2ban v0.9.1
> > >
> > > 2015-08-20 13:20:34,877 fail2ban.database
> > > [6735]: INFO Connected to fail2ban persistent
> > > database '/var/lib/fail2ban/fail2ban.sqlite3'
> > >
> > > 2015-08-20 13:20:34,882 fail2ban.jail
> > > [6735]: INFO Creating new jail 'ssh-iptables'
> > >
> > > 2015-08-20 13:20:34,886 fail2ban.jail
> > > [6735]: INFO Jail 'ssh-iptables' uses poller
> > >
> > > 2015-08-20 13:20:34,914 fail2ban.filter
> > > [6735]: INFO Set jail log file encoding to
> > > UTF-8
> > >
> > > 2015-08-20 13:20:34,914 fail2ban.jail
> > > [6735]: INFO Initiated 'polling' backend
> > >
> > > 2015-08-20 13:20:34,923 fail2ban.filter
> > > [6735]: INFO Added logfile = /var/log/secure
> > >
> > > 2015-08-20 13:20:34,924 fail2ban.filter
> > > [6735]: INFO Set maxRetry = 2
> > >
> > > 2015-08-20 13:20:34,926 fail2ban.filter
> > > [6735]: INFO Set jail log file encoding to
> > > UTF-8
> > >
> > > 2015-08-20 13:20:34,926 fail2ban.actions
> > > [6735]: INFO Set banTime = 86400
> > >
> > > 2015-08-20 13:20:34,927 fail2ban.filter
> > > [6735]: INFO Set findtime = 600
> > >
> > > 2015-08-20 13:20:34,928 fail2ban.filter
> > > [6735]: INFO Set maxlines = 10
> > >
> > > 2015-08-20 13:20:35,002 fail2ban.server
> > > [6735]: INFO Jail ssh-iptables is not a
> > > JournalFilter instance
> > >
> > > 2015-08-20 13:20:36,699 fail2ban.jail
> > > [6735]: INFO Jail 'ssh-iptables' started
> > >
> > > 2015-08-20 13:21:29,344 fail2ban
> > > [6735]: CRITICAL Unhandled exception in Fail2Ban:
> > >
> > > Traceback (most recent call last):
> > >
> > > File
> > >
> "/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/jailthread.py",
> line 64, in run_with_except_hook
> > >
> > > run(*args, **kwargs)
> > >
> > > File
> > >
> "/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/filterpoll.py",
> line 95, in run
> > >
> > > self.getFailures(filename)
> > >
> > > File
> > >
> "/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/filter.py",
> line 682, in getFailures
> > >
> > > self.processLineAndAdd(line)
> > >
> > > File
> > >
> "/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/filter.py",
> line 421, in processLineAndAdd
> > >
> > > if self.inIgnoreIPList(ip):
> > >
> > > File
> > >
> "/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/filter.py",
> line 363, in inIgnoreIPList
> > >
> > > "(?<=b)1+",
> > > bin(DNSUtils.addr2bin(s[1]))).group())
> > >
> > > File
> > >
> "/usr/lib/python2.7/site-packages/fail2ban-0.9.1-py2.7.egg/fail2ban/server/filter.py",
> line 915, in addr2bin
> > >
> > > return struct.unpack("!L",
> > > socket.inet_aton(string))[0]
> > >
> > > error: illegal IP address string passed to
> > > inet_aton
> > >
> > >
> > >
> > > Best regards,
> > >
> > > Ville
> >
> >
> >
> > >
> ------------------------------------------------------------------------------
> _______________________________________________ Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
> >
> ------------------------------------------------------------------------------
> _______________________________________________ Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
