Fail2ban not working with FC10

[eeyore]

I just upgraded Fedora from 8 to 10. Fail2ban worked very well in core 8 but now it is not working anymore. Fail2ban is running normal but it is not banning because the /var/log/secure log is different:

fc8:
Aug 3 14:53:34 monica sshd[3954]: Failed password for root from xxx.90.213.110 port 3231 ssh2

fc10:
2009-01-21T22:47:31.848351+02:00 monica sshd[16422]: Failed password for invalid user oracle from xxx.193.4.5 port 55490 ssh2

Fail2ban version is 0.8.3-16. Any solutions?

[marpada]

Add a new regular expression to the filter for sshd.conf
________
BRUNETTE LATINA
________
Suzuki Gsx Series Specifications

[eeyore]

Ok, sounds good but I have no idea how to do that. I guess the problem is the date stamp so is there any chance to change logger config back to old mode?

[falko]

What's in the sshd filter right now? What's in /etc/fail2ban/jail.conf?

[eeyore]

/etc/fail2ban/jail.conf

Quote:

bantime = -1

findtime = 600

maxretry = 3

backend = auto

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 2

[ftp-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath = /var/log/secure
maxretry = 3

/etc/fail2ban/filter.d/sshd.conf

Quote:

[INCLUDES]

before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+us
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

ignoreregex =

[falko]

Add the following line to the failregex stanza in sshd..conf and restart fail2ban:

Code:

^%(__prefix_line)sFailed [-/\w]+ for invalid user .* from <HOST>(?: port \d*)?(?: ssh\d*)?$

[eeyore]

Thanks falko, I added the line but still not working.

It seems like there is a problem with the time because if I run:


fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

Code:

...
[4] 77 match(es)
...
Addresses found:
...
xxx.193.4.5 (Wed Jan 21 20:47:35 2009)
...
31157 hit(s): ISO 8601

Success, the total number of match is 181

But /var/log/secure says:

Code:

2009-01-21T22:47:35.525108+02:00 monica sshd[16424]: Invalid user test from xxx.193.4.5

What can I do with that?

[falko]

That's a different error message; I think it should be covered by the
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
regex.

[eeyore]

When I run regex it is working OK but there's wrong time. For some reason it decrease 2 hours which is marked to secure log (+02:00).

example,
regex: xxx.193.4.5 (Wed Jan 21 20:47:35 2009) <->
secure log: 2009-01-21T22:47:35.525108+02:00

If I edit secure log timezone to +00:00 and run regex, the time is ok.

Should I change fail2ban config somehow, timezone settings or what?

[eeyore]

Problem solved, this is post from Cyril Jaquier:

Replace utctimetuple with timetuple in datetemplate.py.

Code:

 		if dateMatch:
 			# Parses the date.
 			value = dateMatch.group()
- -			date = list(iso8601.parse_date(value).utctimetuple())
+			date = list(iso8601.parse_date(value).timetuple())
 		return date

https://sourceforge.net/tracker2/ind...32&atid=689044
The fix will be in 0.8.4.