fail2ban not working
If /var/log/secure contains the correct source IP address of the unauthorised login attempt, the next thing to try is running the command:
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
fail2ban will look at the /var/log/secure file for error conditions associated with ssh. Post the output so I can see what it says.
I'm assuming that the /etc/fail2ban/filter.d/sshd.conf file exists and has failregex entries similar to those below?
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
Each line is a regular expression pattern that fail2ban tries to match in the /var/log/secure file. I would expect a failed ssh login to match at least one of the failregex lines above.
Last edited by gscott187; 6th August 2009 at 10:42.