View Single Post
Old 6th August 2009, 11:38
gscott187 gscott187 is offline
Junior Member
Join Date: Jul 2009
Posts: 17
Thanks: 1
Thanked 5 Times in 4 Posts
Default fail2ban not working

If /var/log/secure contains the correct source IP address of the unauthorised login attempt, the next thing to try is running the command:

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

fail2ban will look at the /var/log/secure file for error conditions associated with ssh. Post the output so I can see what it says.

I'm assuming that the /etc/fail2ban/filter.d/sshd.conf file exists and has failregex entries similar to those below?

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

Each line is a regular expression pattern that fail2ban tries to match in the /var/log/secure file. I would expect a failed ssh login to match at least one of the failregex lines above.

Last edited by gscott187; 6th August 2009 at 11:42.
Reply With Quote