fail2ban not working ..
filter.d/sshd.conf
before = common.conf
[Definition]
_daemon = sshd
failregex = (?:error: PAM: )?Authentication failure for .* from <host>\s*$
Failed [-/\w]+ for .* from <host>(?: port \d*)?(?: ssh\d*)?\s*$
ROOT LOGIN REFUSED.* FROM <host>\s*$
[iI](?:llegal|nvalid) user .* from <host>\s*$
Invalid user .* from <host>\s*$
User .+ from <host>not allowed because not listed in AllowUsers\s*$
User .+ from <host>not allowed because none of user's groups are listed in AllowGroups\s*$
Address <host>.* POSSIBLE BREAK-IN ATTEMPT\s*$
authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<host>(?:\s+user=.*)?\s*$</host></host></host></host></host></host></host></host></host>
command
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
is showing 0 results …
Which setting can be wrong?
Richard
16 Replies
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = sshd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<host>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <host>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <host>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <host>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <host>\s*$
^%(__prefix_line)sUser \S+ from <host> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<host>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<host>\)\s*$
^%(__prefix_line)sAddress <host> .* POSSIBLE BREAK-IN ATTEMPT\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =</host></host></host></host></host></host></host></host></host></host>
Running the same fail2ban-regex command as you turns up a number of results. Things to check:
Is the conf file being read correctly? (What is shown under "Regular expressions:" when you run fail2ban-regex?)
Is there anything in the log file to match? (Maybe it's just been rotated and is nearly empty. What does grep -i fail /var/log/secure yield?)
The output is as follows:
[root@linode ~]# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/secure
Results
=======
Failregex
|- Regular expressions:
| [1] (?:error: PAM: )?Authentication failure for .* from <host>\s*$
| [2] Failed [-/\w]+ for .* from <host>(?: port \d*)?(?: ssh\d*)?\s*$
| [3] ROOT LOGIN REFUSED.* FROM <host>\s*$
| [4] [iI](?:llegal|nvalid) user .* from <host>\s*$
| [5] Invalid user .* from <host>\s*$
| [6] User .+ from <host>not allowed because not listed in AllowUsers\s*$
| [7] User .+ from <host>not allowed because none of user's groups are listed in AllowGroups\s*$
| [8] Address <host>.* POSSIBLE BREAK-IN ATTEMPT\s*$
| [9] authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rh ost=<host>(?:\s+user=.*)?\s*$
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 0 match(es)
[4] 0 match(es)
[5] 0 match(es)
[6] 0 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Sorry, no match
Look at the above section 'Running tests' which could contain important
information.</host></host></host></host></host></host></host></host></host>
I see many entries in secure log. The default version did not worked for me, so I removed the _prefixline and tried it.
Richard
Still …
[root@linode filter.d]# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/secure
Results
=======
Failregex
|- Regular expressions:
| [1] Invalid user .* from <host>\s*
|
`- Number of matches:
[1] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Sorry, no match</host>
@richardvc:
is showing 0 results …
Which setting can be wrong?
Richard
One thing that triped me up a few months back with fail2ban is timezones. If you've changed your timezone without rebooting or restarting syslog then all your logs will be generated with the old timezone. This means that as soon as fail2ban see's the entry in the log it think's it's old and ignores it….
You can test this easily by generating a log entry and confirming the timestamp is correct.
I changed the timezone to IST … how can I fix this?
Richard
@richardvc:
I changed the timezone to IST … how can I fix this?
The simplest solution is to reboot your machine instance…. Or you could restart syslog.
reload rsyslog
other distros
service syslog restart
might work.
how about /bin/kill -HUP `cat /var/run/syslogd.pid?
Richard
reinstalled the fail2ban again. Still does not work.
What can be the reason.
Richard
2011-02-01T00:58:06.205040+05:18 linode dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
2011-02-01T00:58:06.205100+05:18 linode dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=import@tglsa.in rhost=178.239.85.254
^
I see one strange thing in time, the letter "T" … is this the reason? From where this T is coming on logfiles?
Pureftp log also show similar time.
Richard
This error was because of timezone settings. I changed the timezone to IST … the new version of fail2ban (Installed from sources) works without an issue.
Thanks
Richard
P.S. I know this is an old post, but I found it and it helped me so thought I would add to that.