Run fail2ban-client -d and compare the [sshd] section of the output to
[ssh-iptables] below.
fail2ban parses log files so it constantly has to evolve due to software
updates,
distro changes, log file locations, local customization, etc. Any answer to
your
question would just be a guess.
Bill
On 9/29/2017 11:40 AM, Robert Kudyba wrote:
Running fail2ban-0.9.7-2.fc26.noarch, but I'm not seeing which filter in /etc/fail2ban/filter.d would catch login attempts
with errors such as:
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" :
24 time(s)
or:
Sep 24 05:55:04 ourserver sshd[22772]: pam_succeed_if(sshd:auth): requirement "uid >=
1000" not met by user "root"
Sep 24 05:55:06 ourserver sshd[22772]: Failed password for root from
123.59.182.194 port 43862 ssh2
I tried a grep 1000 */* in that directory, no results. I see an SX suggestion from 2015,
https://unix.stackexchange.com/a/204393/180291
*"I had a ssh section on my jail local but now I see that I was missing a ssh-iptables section so it would add rules to
iptables and now it works:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 5"*
But is this the same as enabling the[sshd]jail/filter?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
