Re: [Fail2ban-users] which filter has rules for "pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root""

[Nick Howitt]

I don't see how f2b could catch the first two log lines ever and do 
something with them as they don't carry the IP address.

Nick
On 30/09/2017 05:14, Bill Shirley wrote:
Run fail2ban-client -d and compare the [sshd] section of the output to 
[ssh-iptables] below.

fail2ban parses log files so it constantly has to evolve due to 
software updates,
distro changes, log file locations, local customization, etc.  Any 
answer to your
question would just be a guess.

Bill

On 9/29/2017 11:40 AM, Robert Kudyba wrote:
Running fail2ban-0.9.7-2.fc26.noarch, but I'm not seeing which filter 
in /etc/fail2ban/filter.d would catch login attempts with errors such as:
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user 
"root" : 24 time(s)
or:
Sep 24 05:55:04 ourserver sshd[22772]: pam_succeed_if(sshd:auth): 
requirement "uid >= 1000" not met by user "root"
Sep 24 05:55:06 ourserver  sshd[22772]: Failed password for root from 
123.59.182.194 port 43862 ssh2

I tried a grep 1000 */* in that directory, no results. I see an SX 
suggestion from 2015, https://unix.stackexchange.com/a/204393/180291
*"I had a ssh section on my jail local but now I see that I was 
missing a ssh-iptables section so it would add rules to iptables and 
now it works:
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]

logpath  = /var/log/secure
maxretry = 5"*

But is this the same as enabling the[sshd]jail/filter?


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users