Package: fail2ban
Version: 0.8.4-3
Severity: normal
Hi.
On this (hopefully quite generic) system a log line looks:
Nov 8 11:19:38 bar sshd[25427]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=fnord
The time given is in UTC, localtime is UTC+1. Fail2ban seems to interpret the
time stamp as localtime and given the value of 'findtime' of 600 will never
find any logentry.
My workaround is 'fail2ban-client set ssh findtime 4600', which is a bit ugly.
A nicer approach would be to make a time offset settable.
cu
AW
-- System Information:
Debian Release: 6.0.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Versions of packages fail2ban depends on:
ii lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii python 2.6.6-3+squeeze6 interactive high-level object-orie
ii python-central 0.6.16+nmu1 register and build utility for Pyt
Versions of packages fail2ban recommends:
ii iptables 1.4.8-3administration tools for packet fi
ii whois 5.0.10 an intelligent whois client
Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20100314cvs-1 simple mail user agent
pn python-gamin none(no description available)
-- Configuration Files:
/etc/fail2ban/filter.d/sshd.conf changed:
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .*
from HOST\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying
authentication module for .* from HOST\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from
HOST(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM HOST\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from HOST\s*$
^%(__prefix_line)sUser .+ from HOST not allowed because not
listed in AllowUsers$
^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication
failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S*
rhost=HOST(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(HOST\)\s*$
^%(__prefix_line)sAddress HOST .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser .+ from HOST not allowed because none of
user's groups are listed in AllowGroups\s*$
ignoreregex =
/etc/fail2ban/jail.conf changed:
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 31536
maxretry = 3
backend = polling
destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
action_ = %(banaction)s[name=%(__name__)s, port=%(port)s,
protocol=%(protocol)s]
action_mw = %(banaction)s[name=%(__name__)s, port=%(port)s,
protocol=%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest=%(destemail)s,
protocol=%(protocol)s]
action_mwl = %(banaction)s[name=%(__name__)s, port=%(port)s,
protocol=%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest=%(destemail)s,
logpath=%(logpath)s]
action = %(action_)s
[ssh]
enabled = true
port= ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
findtime = 4200
[pam-generic]
enabled = false
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter= xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port= ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
[apache]
enabled = false
port= http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-multiport]
enabled = false
port = http,https
filter= apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port= http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port= http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
[courierauth]
enabled = false
port =