Shouldn't the stock sshd.conf filter be catching these authentication
failures? If not... can someone suggest a new regex line that will?
thanks,
dave*
auth.log*
Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping checking
getaddrinfo for host-237-6-12-185.cloudsigma.net [185.12.6.237] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 6 11:50:52 Webserver sshd[10275]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=185.12.6.237 user=root
Jul 6 11:50:55 Webserver sshd[10275]: Failed password for root from
185.12.6.237 port 55199 ssh2
Jul 6 11:51:02 Webserver sshd[10275]: Received disconnect from
185.12.6.237: 11: Bye Bye [preauth]
Jul 6 11:51:02 Webserver sshd[10277]: reverse mapping checking
getaddrinfo for host-237-6-12-185.cloudsigma.net [185.12.6.237] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 6 11:51:02 Webserver sshd[10277]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=185.12.6.237 user=root
Jul 6 11:51:04 Webserver sshd[10277]: Failed password for root from
185.12.6.237 port 56339 ssh2
Jul 6 11:51:04 Webserver sshd[10277]: Received disconnect from
185.12.6.237: 11: Bye Bye [preauth]
Jul 6 11:51:04 Webserver sshd[10279]: reverse mapping checking
getaddrinfo for host-237-6-12-185.cloudsigma.net [185.12.6.237] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 6 11:51:04 Webserver sshd[10279]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=185.12.6.237 user=root
Jul 6 11:51:06 Webserver sshd[10279]: Failed password for root from
185.12.6.237 port 56581 ssh2
Jul 6 11:51:06 Webserver sshd[10279]: Received disconnect from
185.12.6.237: 11: Bye Bye [preauth]
Jul 6 11:51:07 Webserver sshd[10281]: reverse mapping checking
getaddrinfo for host-237-6-12-185.cloudsigma.net [185.12.6.237] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 6 11:51:07 Webserver sshd[10281]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=185.12.6.237 user=root
Jul 6 11:51:09 Webserver sshd[10281]: Failed password for root from
185.12.6.237 port 56874 ssh2
<snip>
*jail.local*
[ssh]
enabled = true
port = ssh,sftp
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
*sshd.conf*
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication
(?:failure|error) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the
underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port
\d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+
%(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because
not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because
listed in DenyUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because
not in any group\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because a
group is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because
none of user's groups are listed in AllowGroups\s*$
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
