Fail2ban not working with FC10

Discussion in 'HOWTO-Related Questions' started by eeyore, Jan 21, 2009.

  1. eeyore

    eeyore New Member

    I just upgraded Fedora from 8 to 10. Fail2ban worked very well in core 8 but now it is not working anymore. Fail2ban is running normal but it is not banning because the /var/log/secure log is different:

    fc8:
    Aug 3 14:53:34 monica sshd[3954]: Failed password for root from xxx.90.213.110 port 3231 ssh2

    fc10:
    2009-01-21T22:47:31.848351+02:00 monica sshd[16422]: Failed password for invalid user oracle from xxx.193.4.5 port 55490 ssh2

    Fail2ban version is 0.8.3-16. Any solutions?
     
  2. marpada

    marpada New Member

    Last edited: May 13, 2011
  3. eeyore

    eeyore New Member

    Ok, sounds good but I have no idea how to do that. I guess the problem is the date stamp so is there any chance to change logger config back to old mode?
     
  4. falko

    falko Super Moderator ISPConfig Developer

    What's in the sshd filter right now? What's in /etc/fail2ban/jail.conf?
     
  5. eeyore

    eeyore New Member

    /etc/fail2ban/jail.conf
    /etc/fail2ban/filter.d/sshd.conf
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Add the following line to the failregex stanza in sshd..conf and restart fail2ban:

    Code:
    ^%(__prefix_line)sFailed [-/\w]+ for invalid user .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
     
  7. eeyore

    eeyore New Member

    Thanks falko, I added the line but still not working.

    It seems like there is a problem with the time because if I run:


    fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
    Code:
    ...
    [4] 77 match(es)
    ...
    Addresses found:
    ...
    xxx.193.4.5 (Wed Jan 21 20:47:35 2009)
    ...
    31157 hit(s): ISO 8601
    
    Success, the total number of match is 181
    
    But /var/log/secure says:

    Code:
    2009-01-21T22:47:35.525108+02:00 monica sshd[16424]: Invalid user test from xxx.193.4.5
    
    What can I do with that?
     
  8. falko

    falko Super Moderator ISPConfig Developer

    That's a different error message; I think it should be covered by the
    ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
    regex.
     
  9. eeyore

    eeyore New Member

    When I run regex it is working OK but there's wrong time. For some reason it decrease 2 hours which is marked to secure log (+02:00).

    example,
    regex: xxx.193.4.5 (Wed Jan 21 20:47:35 2009) <->
    secure log: 2009-01-21T22:47:35.525108+02:00

    If I edit secure log timezone to +00:00 and run regex, the time is ok.

    Should I change fail2ban config somehow, timezone settings or what? :confused:
     
  10. eeyore

    eeyore New Member

    Last edited: Feb 9, 2009

Share This Page