Hi Christophe - I might be missing something here, but I cannot see an
'action' defined for the SSH rule
Tony Collins
On 31 May 2016 at 14:57, Christophe Millon <[email protected]>
wrote:
> sorry the configuration file is sshd.conf, and is match the right
> adresses, here is the test :
>
> [11] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+
> )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Received
> disconnect from <HOST>: 11: \[preauth\]\s*$
>
> [11] 68 match(es)
>
> Here is the jail configuration:
>
> ignore ip = x.x.x.x
> bantime = 432000
> maxretry = 3
> findtime = 21600
>
> [ssh]
>
> enabled = true
> port = ssh
> filter = sshd
> logpath = /var/log/auth.log
> maxretry = 3
>
> And here is the fail2ban.log when I restart the service:
>
> fail2ban.jail : INFO Jail 'ssh' stopped
> 2016-05-30 09:06:22,866 fail2ban.server : INFO Exiting Fail2ban
> 2016-05-30 09:06:23,202 fail2ban.server : INFO Changed logging target to
> /var/log/fail2ban.log for Fail2ban v0.8.6
> 2016-05-30 09:06:23,203 fail2ban.jail : INFO Creating new jail 'ssh'
> 2016-05-30 09:06:23,203 fail2ban.jail : INFO Jail 'ssh' uses poller
> 2016-05-30 09:06:23,219 fail2ban.filter : INFO Added logfile =
> /var/log/auth.log
> 2016-05-30 09:06:23,219 fail2ban.filter : INFO Set maxRetry = 3
> 2016-05-30 09:06:23,220 fail2ban.filter : INFO Set findtime = 21600
> 2016-05-30 09:06:23,221 fail2ban.actions: INFO Set banTime = 432000
> 2016-05-30 09:06:23,254 fail2ban.jail : INFO Jail 'ssh' started
>
> thanks,
>
> Christophe
> ________________________________________
> De : Tom Hendrikx <[email protected]>
> Envoyé : mardi 31 mai 2016 13:47:09
> À : [email protected]
> Objet : Re: [Fail2ban-users] fail2ban doesn't ban
>
> On 31-05-16 11:17, Christophe Millon wrote:
> > I have this line in my configuration file
> > /etc/fail2ban/filter.d/shd.conf : ^%(__prefix_line)sReceived disconnect
> > from <HOST>: 11: \[preauth\]\s*$
>
> Is this filename 'shd.conf' correct? Does that match your jail config?
> Can you you show us your jail.conf, and the logging that a restart of
> fail2ban produces with the config?
>
> Regards,
> Tom
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
