[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: Re: [Fail2ban-users] Problem with sshd.conf filter...
From: Jason Brooks <jason.brooks () eroi ! com>
Date: 2016-07-07 18:59:42
Message-ID: 71D09E43-B59A-499A-BA4C-E5DD0E463234 () eroi ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
I have seen these messages also, but found that fail2ban was working. You should see \
the lines appearing at least as many times as your “maxretry" values within the \
"findtime" timeframe. The fail2ban.log file will show which ipaddresses are being \
banned and unbanned, and by what service (such as SSH).
Also, check the output of "iptables -L”. You should see a chain titled \
“fail2ban-ssh”: this is where fail2ban inserts it’s rules. If there are any bans \
present, you should see a corresponding rule there. For example, right now mine \
shows as
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 10.189.255.250 anywhere
RETURN all -- anywhere anywhere
The log entries you show are in groups of four. It won’t trigger on the “POSSIBLE \
BREAK-IN ATTEMPT” (line 1). It probably should trigger on line two (authentication \
failure…). It definitely should trigger on line 3 “failed password for root from \
<ip>…”, and line 4 is just a notification.
1) reverse mapping checking getaddrinfo for host-237-6-12-185.cloudsigma.net \
[185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT! 2) pam_unix(sshd:auth): \
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 \
user=root 3) Failed password for root from 185.12.6.237 port 55199 ssh2
4) Received disconnect from 185.12.6.237: 11: Bye Bye [preauth]
Check your fail2ban log file: If the remote ip address isn’t being banned, then \
definitely add that line.
—jason
Jason Brooks Systems Administrator
eROI Performance is Art.
m: 505 nw couch #300 w: eroi.com <http://eroi.com/>
t: 503.290.3105 f: 503.228.4249
fb: fb.com/eROI <http://www.facebook.com/eROI>
> On Jul 7, 2016, at 11:29 AM, admin@redtailbooks.com wrote:
>
> Zurd, Thanks for the regex for the "POSSIBLE BREAK-IN" entries. I will test and add \
> to my custom filter.
> But I was concerned that the stock sshd filter should be catching the \
> "authentication failure" and "Failed password" entries...
> Can you suggest a new regex that will allow sshd to catch these?
>
> Thanks
> dave
>
> On 7/6/2016 7:11 PM, Zurd wrote:
> > https://sourceforge.net/p/fail2ban/mailman/message/28882147/ \
> > <https://sourceforge.net/p/fail2ban/mailman/message/28882147/>
> > Looks like someone else ask for this filter to be added too back in 2012 but \
> > there was no answer unfortunately.
> > Add this in /etc/fail2ban/filter.d/sshd.conf:
> > ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] failed - \
> > POSSIBLE BREAK-IN ATTEMPT!\s*$
> > And try again:
> > fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
> >
> > Or
> > fail2ban-regex 'Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping checking \
> > getaddrinfo for host-237-6-12-185.cloudsigma.net \
> > <http://host-237-6-12-185.cloudsigma.net/> [185.12.6.237] failed - POSSIBLE \
> > BREAK-IN ATTEMPT!' /etc/fail2ban/filter.d/sshd.conf
> >
> >
> > On Wed, Jul 6, 2016 at 5:34 PM, <admin@redtailbooks.com \
> > <mailto:admin@redtailbooks.com>> wrote: Shouldn't the stock sshd.conf filter be \
> > catching these authentication failures? If not... can someone suggest a new regex \
> > line that will? thanks,
> > dave
> >
> > auth.log
> > Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping checking getaddrinfo for \
> > host-237-6-12-185.cloudsigma.net <http://host-237-6-12-185.cloudsigma.net/> \
> > [185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT!
> > Jul 6 11:50:52 Webserver sshd[10275]: pam_unix(sshd:auth): authentication \
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 \
> > user=root
> > Jul 6 11:50:55 Webserver sshd[10275]: Failed password for root from 185.12.6.237 \
> > port 55199 ssh2
> > Jul 6 11:51:02 Webserver sshd[10275]: Received disconnect from 185.12.6.237 \
> > <http://185.12.6.237/>: 11: Bye Bye [preauth]
> > Jul 6 11:51:02 Webserver sshd[10277]: reverse mapping checking getaddrinfo for \
> > host-237-6-12-185.cloudsigma.net <http://host-237-6-12-185.cloudsigma.net/> \
> > [185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT!
> > Jul 6 11:51:02 Webserver sshd[10277]: pam_unix(sshd:auth): authentication \
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 \
> > user=root
> > Jul 6 11:51:04 Webserver sshd[10277]: Failed password for root from 185.12.6.237 \
> > port 56339 ssh2
> > Jul 6 11:51:04 Webserver sshd[10277]: Received disconnect from 185.12.6.237 \
> > <http://185.12.6.237/>: 11: Bye Bye [preauth]
> > Jul 6 11:51:04 Webserver sshd[10279]: reverse mapping checking getaddrinfo for \
> > host-237-6-12-185.cloudsigma.net <http://host-237-6-12-185.cloudsigma.net/> \
> > [185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT!
> > Jul 6 11:51:04 Webserver sshd[10279]: pam_unix(sshd:auth): authentication \
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 \
> > user=root
> > Jul 6 11:51:06 Webserver sshd[10279]: Failed password for root from 185.12.6.237 \
> > port 56581 ssh2
> > Jul 6 11:51:06 Webserver sshd[10279]: Received disconnect from 185.12.6.237 \
> > <http://185.12.6.237/>: 11: Bye Bye [preauth]
> > Jul 6 11:51:07 Webserver sshd[10281]: reverse mapping checking getaddrinfo for \
> > host-237-6-12-185.cloudsigma.net <http://host-237-6-12-185.cloudsigma.net/> \
> > [185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT!
> > Jul 6 11:51:07 Webserver sshd[10281]: pam_unix(sshd:auth): authentication \
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 \
> > user=root
> > Jul 6 11:51:09 Webserver sshd[10281]: Failed password for root from 185.12.6.237 \
> > port 56874 ssh2 <snip>
> >
> > jail.local
> > [ssh]
> > enabled = true
> > port = ssh,sftp
> > filter = sshd
> > logpath = /var/log/auth.log
> > maxretry = 3
> >
> > sshd.conf
> > failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication \
> > (?:failure|error) for .* from <HOST>( via \S+)?\s*$ ^%(__prefix_line)s(?:error: \
> > PAM: )?User not known to the underlying authentication module for .* from \
> > <HOST>\s*$ ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: \
> > ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client \
> > user ".*", client host ".*")?))?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \
> > <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
> > ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in \
> > AllowUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed \
> > in DenyUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in \
> > any group\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
> > ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in \
> > DenyGroups\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of \
> > user's groups are listed in AllowGroups\s*$
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape_______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; -webkit-line-break: after-white-space;" class="">Hello,<div class=""><br \
class=""></div><div class="">I have seen these messages also, but found that fail2ban \
was working. You should see the lines appearing at least as many times as your \
“maxretry" values within the "findtime" timeframe. The fail2ban.log file will \
show which ipaddresses are being banned and unbanned, and by what service (such as \
SSH).</div><div class=""><br class=""></div><div class="">Also, check the output of \
"iptables -L”. You should see a chain titled “fail2ban-ssh”: this is where \
fail2ban inserts it’s rules. If there are any bans present, you should see a \
corresponding rule there. For example, right now mine shows as</div><div \
class=""><br class=""></div><div class=""><div class="">Chain fail2ban-ssh (1 \
references)</div><div class="">target prot opt source \
destination \
</div><div class="">DROP all -- \
10.189.255.250 anywhere \
</div><div class="">RETURN all -- anywhere \
anywhere \
</div><div class=""><br class=""></div></div><div class="">The log entries you \
show are in groups of four. It won’t trigger on the “POSSIBLE BREAK-IN ATTEMPT” \
(line 1). It probably should trigger on line two (authentication failure…). \
It definitely should trigger on line 3 “failed password for root from \
<ip>…”, and line 4 is just a notification.</div><div class=""><br \
class=""></div><div class=""><div class="">1) reverse mapping checking getaddrinfo \
for <a href="http://host-237-6-12-185.cloudsigma.net" \
class="">host-237-6-12-185.cloudsigma.net</a> [185.12.6.237] failed - POSSIBLE \
BREAK-IN ATTEMPT!</div><div class="">2) pam_unix(sshd:auth): authentication failure; \
logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root</div><div \
class="">3) Failed password for root from 185.12.6.237 port 55199 ssh2</div><div \
class="">4) Received disconnect from 185.12.6.237: 11: Bye Bye \
[preauth]</div></div><div class=""><br class=""></div><div class="">Check your \
fail2ban log file: If the remote ip address isn’t being banned, then definitely add \
that line.</div><div class=""><br class=""></div><div class="">—jason<br \
class=""><div class=""> <br class="Apple-interchange-newline"><table width="300" \
cellspacing="0" cellpadding="0" border="0" style="letter-spacing: normal; \
text-indent: 0px; text-transform: none; word-spacing: 0px; -webkit-text-stroke-width: \
0px; orphans: 2; widows: 2; font-family: Times;" class=""><tbody class=""><tr \
class=""><td valign="top" width="50%" style="font-family: Helvetica, Arial, \
sans-serif; color: rgb(81, 81, 81); font-size: 14px; font-weight: bold; \
border-top-width: 1px; border-top-style: solid; border-top-color: rgb(81, 81, 81); \
padding: 3px 0px;" class="">Jason Brooks</td><td valign="top" width="50%" \
style="font-family: Helvetica, Arial, sans-serif; color: rgb(81, 81, 81); font-size: \
14px; border-top-width: 1px; border-top-style: solid; border-top-color: rgb(81, 81, \
81); padding: 3px 0px;" class="">Systems Administrator</td></tr><tr class=""><td \
valign="top" width="50%" style="font-family: Helvetica, Arial, sans-serif; color: \
rgb(146, 146, 146); font-size: 14px; font-weight: bold; border-top-width: 1px; \
border-top-style: solid; border-top-color: rgb(81, 81, 81); padding: 2px 0px;" \
class="">eROI</td><td valign="top" width="50%" style="font-family: Helvetica, Arial, \
sans-serif; color: rgb(146, 146, 146); font-size: 14px; border-top-width: 1px; \
border-top-style: solid; border-top-color: rgb(81, 81, 81); padding: 2px 0px;" \
class="">Performance is Art.</td></tr><tr class=""><td valign="top" colspan="2" \
class=""> </td></tr></tbody></table><table width="300" cellspacing="0" \
cellpadding="0" border="0" style="letter-spacing: normal; text-indent: 0px; \
text-transform: none; word-spacing: 0px; -webkit-text-stroke-width: 0px; orphans: 2; \
widows: 2; font-family: Times;" class=""><tbody class=""><tr class=""><td \
valign="top" width="8%" style="font-family: Helvetica, Arial, sans-serif; color: \
rgb(255, 46, 139); font-weight: bold; font-size: 11px;" class="">m:</td><td \
valign="top" width="42%" style="font-family: Helvetica, Arial, sans-serif; color: \
rgb(146, 146, 146); font-size: 11px;" class="">505 nw couch #300</td><td valign="top" \
width="8%" style="font-family: Helvetica, Arial, sans-serif; color: rgb(255, 46, \
139); font-weight: bold; font-size: 11px;" class="">w:</td><td valign="top" \
width="42%" style="font-family: Helvetica, Arial, sans-serif; color: rgb(146, 146, \
146); font-size: 11px;" class=""><a href="http://eroi.com/" target="_blank" \
style="color: rgb(146, 146, 146);" class="">eroi.com</a></td></tr><tr class=""><td \
valign="top" width="8%" style="font-family: Helvetica, Arial, sans-serif; color: \
rgb(255, 46, 139); font-weight: bold; font-size: 11px;" class="">t:</td><td \
valign="top" width="42%" style="font-family: Helvetica, Arial, sans-serif; color: \
rgb(146, 146, 146); font-size: 11px;" class="">503.290.3105</td><td valign="top" \
width="8%" style="font-family: Helvetica, Arial, sans-serif; color: rgb(255, 46, \
139); font-weight: bold; font-size: 11px;" class="">f:</td><td valign="top" \
width="42%" style="font-family: Helvetica, Arial, sans-serif; color: rgb(146, 146, \
146); font-size: 11px;" class="">503.228.4249</td></tr><tr class=""><td valign="top" \
width="8%" style="font-family: Helvetica, Arial, sans-serif; color: rgb(255, 46, \
139); font-weight: bold; font-size: 11px;" class=""><br class=""></td><td \
valign="top" width="42%" style="font-family: Helvetica, Arial, sans-serif; color: \
rgb(146, 146, 146); font-size: 11px;" class=""><br class=""></td><td valign="top" \
width="8%" style="font-family: Helvetica, Arial, sans-serif; color: rgb(255, 46, \
139); font-weight: bold; font-size: 11px;" class="">fb:</td><td valign="top" \
width="42%" style="font-family: Helvetica, Arial, sans-serif; color: rgb(146, 146, \
146); font-size: 11px;" class=""><a href="http://www.facebook.com/eROI" \
target="_blank" style="color: rgb(146, 146, 146);" \
class="">fb.com/eROI</a></td></tr><tr class=""><td valign="top" width="8%" \
style="font-family: Helvetica, Arial, sans-serif; color: rgb(255, 46, 139); \
font-weight: bold; font-size: 11px;" class=""><br class=""></td><td valign="top" \
width="42%" style="font-family: Helvetica, Arial, sans-serif; color: rgb(146, 146, \
146); font-size: 11px;" class=""><br class=""></td><td valign="top" width="8%" \
style="font-family: Helvetica, Arial, sans-serif; color: rgb(255, 46, 139); \
font-weight: bold; font-size: 11px;" class=""><br class=""></td><td valign="top" \
width="42%" style="font-family: Helvetica, Arial, sans-serif; color: rgb(146, 146, \
146); font-size: 11px;" class=""><br class=""></td></tr></tbody></table><div \
style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: \
normal; font-variant: normal; font-weight: normal; letter-spacing: normal; \
line-height: normal; orphans: auto; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; \
-webkit-text-stroke-width: 0px;" class=""><div class=""><br class=""></div></div><br \
class="Apple-interchange-newline" style="color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br \
class="Apple-interchange-newline" style="color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px;"> </div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Jul 7, 2016, at \
11:29 AM, <a href="mailto:admin@redtailbooks.com" class="">admin@redtailbooks.com</a> \
wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type" \
class="">
<div bgcolor="#FFFFFF" text="#3333FF" class="">
<div class="moz-cite-prefix">Zurd, Thanks for the regex for the
"POSSIBLE BREAK-IN" entries. I will test and add to my custom
filter.<br class="">
<br class="">
But I was concerned that the stock sshd filter should be catching
the "authentication failure" and "Failed password" entries...<br class="">
<br class="">
Can you suggest a new regex that will allow sshd to catch these?<br class="">
<br class="">
Thanks<br class="">
dave<br class="">
<br class="">
On 7/6/2016 7:11 PM, Zurd wrote:<br class="">
</div>
<blockquote cite="mid:CAFPUJG7rB74GteObi4++p5js7EQXE+N0vLqEuk-_YsPEMrChmQ@mail.gmail.com" \
type="cite" class=""> <div dir="ltr" class="">
<div class="">
<div class="">
<div class="">
<div class=""><a moz-do-not-send="true" \
href="https://sourceforge.net/p/fail2ban/mailman/message/28882147/" \
class="">https://sourceforge.net/p/fail2ban/mailman/message/28882147/</a><br \
class=""> <br class="">
</div>
Looks like someone else ask for this filter to be added
too back in 2012 but there was no answer unfortunately.<br class="">
<br class="">
</div>
Add this in /etc/fail2ban/filter.d/sshd.conf:<br class="">
^%(__prefix_line)sreverse mapping checking getaddrinfo for
.* \[<HOST>\] failed - POSSIBLE BREAK-IN ATTEMPT!\s*$<br class="">
<br class="">
And try again:<br class="">
</div>
fail2ban-regex /var/log/auth.log
/etc/fail2ban/filter.d/sshd.conf<br class="">
<br class="">
</div>
Or<br class="">
fail2ban-regex 'Jul 6 11:50:52 Webserver sshd[10275]: reverse
mapping checking getaddrinfo for <a moz-do-not-send="true" \
href="http://host-237-6-12-185.cloudsigma.net/" \
class="">host-237-6-12-185.cloudsigma.net</a> [185.12.6.237] failed - POSSIBLE \
BREAK-IN ATTEMPT!' /etc/fail2ban/filter.d/sshd.conf<br class="">
<br class="">
<br class="">
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Wed, Jul 6, 2016 at 5:34 PM, <span dir="ltr" \
class=""><<a moz-do-not-send="true" href="mailto:admin@redtailbooks.com" \
target="_blank" class="">admin@redtailbooks.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#3333FF" class=""> <font class=""><font \
color="#3333ff" class="">Shouldn't the stock sshd.conf filter be catching these
authentication failures? If not... can someone suggest
a new regex line that will?<br class="">
thanks,<br class="">
dave</font><b class=""><br class="">
<br class="">
auth.log</b></font><br class="">
Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping
checking getaddrinfo for <a moz-do-not-send="true" \
href="http://host-237-6-12-185.cloudsigma.net/" target="_blank" \
class="">host-237-6-12-185.cloudsigma.net</a>
[185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT!<br class="">
Jul 6 11:50:52 Webserver sshd[10275]:
pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root<br \
class="">
Jul 6 11:50:55 Webserver sshd[10275]: Failed password for
root from 185.12.6.237 port 55199 ssh2<br class="">
Jul 6 11:51:02 Webserver sshd[10275]: Received disconnect
from <a moz-do-not-send="true" href="http://185.12.6.237/" \
target="_blank" class="">185.12.6.237</a>: 11: Bye Bye [preauth]<br class=""> \
Jul 6 11:51:02 Webserver sshd[10277]: reverse mapping checking getaddrinfo for \
<a moz-do-not-send="true" href="http://host-237-6-12-185.cloudsigma.net/" \
target="_blank" class="">host-237-6-12-185.cloudsigma.net</a>
[185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT!<br class="">
Jul 6 11:51:02 Webserver sshd[10277]:
pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root<br \
class="">
Jul 6 11:51:04 Webserver sshd[10277]: Failed password for
root from 185.12.6.237 port 56339 ssh2<br class="">
Jul 6 11:51:04 Webserver sshd[10277]: Received disconnect
from <a moz-do-not-send="true" href="http://185.12.6.237/" \
target="_blank" class="">185.12.6.237</a>: 11: Bye Bye [preauth]<br class=""> \
Jul 6 11:51:04 Webserver sshd[10279]: reverse mapping checking getaddrinfo for \
<a moz-do-not-send="true" href="http://host-237-6-12-185.cloudsigma.net/" \
target="_blank" class="">host-237-6-12-185.cloudsigma.net</a>
[185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT!<br class="">
Jul 6 11:51:04 Webserver sshd[10279]:
pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root<br \
class="">
Jul 6 11:51:06 Webserver sshd[10279]: Failed password for
root from 185.12.6.237 port 56581 ssh2<br class="">
Jul 6 11:51:06 Webserver sshd[10279]: Received disconnect
from <a moz-do-not-send="true" href="http://185.12.6.237/" \
target="_blank" class="">185.12.6.237</a>: 11: Bye Bye [preauth]<br class=""> \
Jul 6 11:51:07 Webserver sshd[10281]: reverse mapping checking getaddrinfo for \
<a moz-do-not-send="true" href="http://host-237-6-12-185.cloudsigma.net/" \
target="_blank" class="">host-237-6-12-185.cloudsigma.net</a>
[185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT!<br class="">
Jul 6 11:51:07 Webserver sshd[10281]:
pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root<br \
class="">
Jul 6 11:51:09 Webserver sshd[10281]: Failed password for
root from 185.12.6.237 port 56874 ssh2<br class="">
<snip><br class="">
<br class="">
<b class=""><font class="">jail.local</font></b><br class="">
[ssh]<br class="">
enabled = true<br class="">
port = ssh,sftp<br class="">
filter = sshd<br class="">
logpath = /var/log/auth.log<br class="">
maxretry = 3<br class="">
<br class="">
<b class=""><font class="">sshd.conf</font></b><br class="">
failregex = ^%(__prefix_line)s(?:error: PAM:
)?[aA]uthentication (?:failure|error) for .* from
<HOST>( via \S+)?\s*$<br class="">
\
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication \
module for .* from <HOST>\s*$<br class="">
\
^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: \
(ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user
".*", client host ".*")?))?\s*$<br class="">
\
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$<br class="">
\
^%(__prefix_line)s[iI](?:llegal|nvalid) user
.* from <HOST>\s*$<br class="">
\
^%(__prefix_line)sUser .+ from <HOST>
not allowed because not listed in AllowUsers\s*$<br class="">
\
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in \
DenyUsers\s*$<br class="">
\
^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any \
group\s*$<br class="">
\
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$<br class="">
\
^%(__prefix_line)sUser .+ from <HOST>
not allowed because a group is listed in DenyGroups\s*$<br class="">
\
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's \
groups are listed in AllowGroups\s*$<br class="">
</div>
<br class="">
</blockquote>
</div>
</div>
</blockquote>
</div>
------------------------------------------------------------------------------<br \
class="">Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in \
San<br class="">Francisco, CA to explore cutting-edge tech and listen to tech \
luminaries<br class="">present their vision of the future. This family event has \
something for<br class="">everyone, including kids. Get more information and register \
today.<br class=""><a \
href="http://sdm.link/attshape_______________________________________________" \
class="">http://sdm.link/attshape_______________________________________________</a><br \
class="">Fail2ban-users mailing list<br \
class="">Fail2ban-users@lists.sourceforge.net<br \
class="">https://lists.sourceforge.net/lists/listinfo/fail2ban-users<br \
class=""></div></blockquote></div><br class=""></div></body></html>
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic