The webmin-auth log filter is: ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$ ^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
Sshd log filter: ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$ > On 5 Feb 2018, at 20:34, Bill Shirley <bshir...@openmri-scottsboro.com> wrote: > > You should post your jail and filter. fail2ban's filters change from release > to release > to accommodate changes in the underlying log file (i.e. apache 2.2 vs apache > 2.4). > > Bill > > On 2/5/2018 9:55 AM, Palvelin Postmaster via Fail2ban-users wrote: >> Hi, >> >> Full disclosure. I’m new to F2B. :) >> >> I managed to setup 0.10.2 (just upgraded to 0.11) and get it working on >> macOS High Sierra. My primary match action is to block connections using the >> adaptive firewall (pf). I’m interested in filter action jails which target >> attempted abuse of apache/php7, proftpd, sshd, and webmin. >> >> My main problem is that some of the log filters don’t seem to work (on >> macOS). For example, the sshd and webmin-auth log filters don’t match >> anything. Here’s an example of the only log entry which occurs when I try to >> login to Webmin with false credentials (logging of logins/logouts is enabled >> in webmin conf): >> >> XXX.XXX.XXX.XXX - - [04/Feb/2018:23:01:52 +0200] "POST /session_login.cgi >> HTTP/1.1" 401 2333 >> >> So, it looks a bit different from the webmin-auth default regexps. >> Essentially just a HTTP status code 401. Can someone help me construct a >> properly formatted regexp for it? >> >> Are there any generic instructions available on how to construct log filter >> regexps? How about instructions as to what each of the default log filters >> attempts to filter (or should it be obvious)? >> >> >> >> -- >> Palvelin.fi Hostmaster >> postmas...@palvelin.fi >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Fail2ban-users mailing list >> Fail2ban-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Palvelin.fi Hostmaster postmas...@palvelin.fi ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
