Hello, The auth.log contains lines like this:
Nov 22 08:02:40 jozjan sshd[32068]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=hostname.of.some.host user=abc Nov 22 08:02:42 jozjan sshd[12242]: error: PAM: Authentication failure for abc from hostname.of.some.host And inline answer: > -----Original Message----- > From: Yaroslav Halchenko [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 22, 2007 9:26 AM > To: Jozef Janitor; [EMAIL PROTECTED] > Subject: Re: Bug#452346: fail2ban-regex does not work > > could you share auth.log in question? > > > The Sarge version from official backports seems to work: > you meant etch? No, the there is fail2ban (v0.7.5-2) in the standard apt sources for Etch. But this version seems to have issues with the "fail2ban-regex" command. But we also have a server running still on Sarge where I had to use the backports http://packages.debian.org/sarge-backports/fail2ban version (v0.8.1-2) of fail2ban. This one seems to work with no issues. I just noticed that in there is also a newer (v0.8.1-2) version of fail2ban for Etch in the backports http://packages.debian.org/etch-backports/fail2ban so maybe I will just upgrade to this new version. All the best, Jozef Janitor > and there is no official backports in Debian project ;-) there is > backports.org though ;-) > > On Thu, 22 Nov 2007, Jozef Janitor wrote: > > > Package: fail2ban > > Version: 0.7.5-2 > > Debian version: Etch > > > The "fail2ban-regex" command is has problems with the input > parameters. > > When I invoke "fail2ban-regex /var/log/auth.log > > /etc/fail2ban/filter.d/sshd.conf" it ends up with "Sorry, no match" > result. > > > [code] > > jozjan:~# fail2ban-regex /var/log/auth.log > /etc/fail2ban/filter.d/sshd.conf > > > Sorry, no match > > [/code] > > > When I invoke "fail2ban-regex foo foo" it ends up with this message: > > > [code] > > jozjan:~# fail2ban-regex foo foo > > > Found a match but no valid date/time found for foo. Please contact > the > > author in order to get support for this format > > > Sorry, no match > > [/code] > > > > The Sarge version from official backports seems to work: > > > [code] > > ns:~# fail2ban-regex /var/log/auth.log > /etc/fail2ban/filter.d/sshd.conf > > > Running tests > > ============= > > > Use regex file : /etc/fail2ban/filter.d/sshd.conf > > Use log file : /var/log/auth.log > > > > Results > > ======= > > > Failregex > > |- Regular expressions: > > | [1] (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ > > | [2] Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: > ssh\d*)?\s*$ > > | [3] ROOT LOGIN REFUSED.* FROM <HOST>\s*$ > > | [4] [iI](?:llegal|nvalid) user .* from <HOST>\s*$ > > | [5] User .+ from <HOST> not allowed because not listed in > AllowUsers\s*$ > > | [6] User .+ from <HOST> not allowed because none of user's groups > are > > listed in AllowGroups\s*$ > > > `- Number of matches: > > [1] 0 match(es) > > [2] 58 match(es) > > [3] 0 match(es) > > [4] 0 match(es) > > [5] 0 match(es) > > [6] 0 match(es) > > > Ignoreregex > > |- Regular expressions: > > > `- Number of matches: > > > Summary > > ======= > > > Addresses found: > > [1] > > [2] > > 147.x.x.x (Thu Nov 22 02:00:59 2007) > > 147.x.y.z (Thu Nov 22 02:03:05 2007) > > ... > > [3] > > [4] > > [5] > > [6] > > > Date template hits: > > 58 hit(s): Month Day Hour:Minute:Second > > 0 hit(s): Weekday Month Day Hour:Minute:Second Year > > 0 hit(s): Weekday Month Day Hour:Minute:Second > > 0 hit(s): Year/Month/Day Hour:Minute:Second > > 0 hit(s): Day/Month/Year:Hour:Minute:Second > > 0 hit(s): Year-Month-Day Hour:Minute:Second > > 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond] > > 0 hit(s): TAI64N > > 0 hit(s): Epoch > > > Success, the total number of match is 58 > > > However, look at the above section 'Running tests' which could > contain > > important > > information. > > [/code] > > > Although the sarge backport version is 0.8.1-2~bpo31+1, which is a > "complete > > rewrite of 0.7 version", so maybe the behavior of fail2ban-regex in > the 0.7 > > brand is a bit different. But whatever the behavior is, it's not > working in > > Etch :-( > > > Thank you. > > > All the best, > > Jozef Janitor > > > > > > > > -- > Yaroslav Halchenko > Research Assistant, Psychology Department, Rutgers-Newark > Student Ph.D. @ CS Dept. NJIT > Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171 > 101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102 > WWW: http://www.linkedin.com/in/yarik
