Hello, I'm new to Fail2Ban, and still getting to grips with it.
As I understand it, all matches to a filter are treated the same - using the default sshd filter a bot trying to logon as a nonexistent user is treated the same as a genuine user who has misspelled their password. I would prefer to ban an IP the second time it attempts to log on as a nonexistent user, and allow multiple password attempts if the user exists on the system. I have read some documents and HOWTOs, but seem to be struggling a bit with fail2ban's configuration concepts. I've found /etc/fail2ban/filter.d/sshd.conf and enabled it by creating a corresponding /etc/fail2ban/jail.d/sshd.conf, as per Gentoo's wiki. [1] I would have thought that the logical way to make my own filters would be to take the existing /etc/fail2ban/filter.d/sshd.conf and make two copies of it - /etc/fail2ban/filter.d/sshd-badusername.local and /etc/fail2ban/filter.d/sshd-wrongpassword.local, removing from each the unwanted regular expressions. I expected to be able to create /etc/fail2ban/jail.d/sshd-badusername.conf and /etc/fail2ban/jail.d/sshd-wrongpassword.conf with the following contents: [sshd-badusername] enabled = true logpath = /var/log/messages [sshd-wrongpassword] enabled = true logpath = /var/log/messages This doesn't work - when I reload fail2ban I get the messages: ERROR No file(s) found for glob /var/log/auth.log ERROR Failed during configuration: Have not found any log file for sshd jail I don't understand - I didn't think I had any jail called "sshd" anymore - I thought I had two jails, "sshd-badusername" and "sshd-wrongpassword". Fail2Ban seems highly modular and configurable, and I feel like I'm missing something important because there are too many pieces for me to visualise correctly. Stroller. [1] https://wiki.gentoo.org/wiki/Fail2ban#Configuration ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
