Hi. OK, can I ask: why did you expect every line to fail ('match')? Have
you been through the log file and noticed that every log entry is an
attack? I am asking because a normal log file would contain a mixture of
missed, matched and ignored lines.
In my current log file, if I run the same command, I get this:
*Lines: 9622 lines, 0 ignored, 3585 matched, 6037 missed*
You can see there's a "healthy" mix of matched and missed, which is exactly
what a normal log file should show.
If you have checked and you believe that fail2ban should've 'failed' the
other 657 lines, we need to see the "missed" lines.
To do that, please run the fail2ban-regex command again but add this to the
then: --print-all-missed
Then copy 100 of them into your reply so we can examine them.
Tony Collins
On 16 October 2017 at 04:16, A <publicf...@bak.rr.com> wrote:
> Thank you for the assist. The issue is that 657 lines were missed.
> Lines: 682 lines, 0 ignored, 25 matched, 657 missed [processed in 0.45 sec]
>
>
> On 10/15/2017 01:41 PM, Tony Collins wrote:
>
> Is it just me? I can't tell what the issue is!
>
>
> On Sun, 15 Oct 2017 at 21:02, A <publicf...@bak.rr.com> wrote:
>
>> I can't be the first to encounter this... does anyone have a fix for the
>> below please?
>>
>> Thank you in advance!
>>
>> - Andrew
>>
>> # fail2ban-regex /var/log/auth.log.1 /etc/fail2ban/filter.d/sshd.
>> conf
>>
>> Running tests
>> =============
>>
>> Use failregex filter file : sshd, basedir: /etc/fail2ban
>> Use maxlines : 10
>> Use log file : /var/log/auth.log.1
>> Use encoding : UTF-8
>>
>>
>> Results
>> =======
>>
>> Failregex: 25 total
>> |- #) [# of hits] regular expression
>> | 3) [10] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
>> )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?ss
>> hd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
>> \d+ \S+\])?\s*Failed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(:
>> (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ (?:[\da-f]{2}:){15}[\da-f]{2}(,
>> client user ".*", client host ".*")?))?\s*$
>> | 5) [5] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
>> )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?ss
>> hd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
>> \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
>> | 16) [10] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
>> )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?ss
>> hd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
>> \d+ \S+\])?\s*pam_unix\(sshd:auth\):\s+authentication
>> failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruse
>> r=\S*\s*rhost=<HOST>\s.*$
>> `-
>>
>> Ignoreregex: 0 total
>>
>> Date template hits:
>> |- [# of hits] date format
>> | [682] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
>> Year)?
>> `-
>>
>> Lines: 682 lines, 0 ignored, 25 matched, 657 missed [processed in 0.45
>> sec]
>> Missed line(s): too many to print. Use --print-all-missed to print all
>> 657 lines
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
>> _________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
> --
> -- Tony Collins
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
