https://sourceforge.net/p/fail2ban/mailman/message/28882147/
Looks like someone else ask for this filter to be added too back in 2012
but there was no answer unfortunately.
Add this in /etc/fail2ban/filter.d/sshd.conf:
^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\]
failed - POSSIBLE BREAK-IN ATTEMPT!\s*$
And try again:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Or
fail2ban-regex 'Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping
checking getaddrinfo for host-237-6-12-185.cloudsigma.net [185.12.6.237]
failed - POSSIBLE BREAK-IN ATTEMPT!' /etc/fail2ban/filter.d/sshd.conf
On Wed, Jul 6, 2016 at 5:34 PM, <[email protected]> wrote:
> Shouldn't the stock sshd.conf filter be catching these authentication
> failures? If not... can someone suggest a new regex line that will?
> thanks,
> dave
>
> * auth.log*
> Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping checking
> getaddrinfo for host-237-6-12-185.cloudsigma.net [185.12.6.237] failed -
> POSSIBLE BREAK-IN ATTEMPT!
> Jul 6 11:50:52 Webserver sshd[10275]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root
> Jul 6 11:50:55 Webserver sshd[10275]: Failed password for root from
> 185.12.6.237 port 55199 ssh2
> Jul 6 11:51:02 Webserver sshd[10275]: Received disconnect from
> 185.12.6.237: 11: Bye Bye [preauth]
> Jul 6 11:51:02 Webserver sshd[10277]: reverse mapping checking
> getaddrinfo for host-237-6-12-185.cloudsigma.net [185.12.6.237] failed -
> POSSIBLE BREAK-IN ATTEMPT!
> Jul 6 11:51:02 Webserver sshd[10277]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root
> Jul 6 11:51:04 Webserver sshd[10277]: Failed password for root from
> 185.12.6.237 port 56339 ssh2
> Jul 6 11:51:04 Webserver sshd[10277]: Received disconnect from
> 185.12.6.237: 11: Bye Bye [preauth]
> Jul 6 11:51:04 Webserver sshd[10279]: reverse mapping checking
> getaddrinfo for host-237-6-12-185.cloudsigma.net [185.12.6.237] failed -
> POSSIBLE BREAK-IN ATTEMPT!
> Jul 6 11:51:04 Webserver sshd[10279]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root
> Jul 6 11:51:06 Webserver sshd[10279]: Failed password for root from
> 185.12.6.237 port 56581 ssh2
> Jul 6 11:51:06 Webserver sshd[10279]: Received disconnect from
> 185.12.6.237: 11: Bye Bye [preauth]
> Jul 6 11:51:07 Webserver sshd[10281]: reverse mapping checking
> getaddrinfo for host-237-6-12-185.cloudsigma.net [185.12.6.237] failed -
> POSSIBLE BREAK-IN ATTEMPT!
> Jul 6 11:51:07 Webserver sshd[10281]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root
> Jul 6 11:51:09 Webserver sshd[10281]: Failed password for root from
> 185.12.6.237 port 56874 ssh2
> <snip>
>
> *jail.local*
> [ssh]
> enabled = true
> port = ssh,sftp
> filter = sshd
> logpath = /var/log/auth.log
> maxretry = 3
>
> *sshd.conf*
> failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication
> (?:failure|error) for .* from <HOST>( via \S+)?\s*$
> ^%(__prefix_line)s(?:error: PAM: )?User not known to the
> underlying authentication module for .* from <HOST>\s*$
> ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port
> \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+
> %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
> ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
> ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
> ^%(__prefix_line)sUser .+ from <HOST> not allowed because not
> listed in AllowUsers\s*$
> ^%(__prefix_line)sUser .+ from <HOST> not allowed because
> listed in DenyUsers\s*$
> ^%(__prefix_line)sUser .+ from <HOST> not allowed because not
> in any group\s*$
> ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
> ^%(__prefix_line)sUser .+ from <HOST> not allowed because a
> group is listed in DenyGroups\s*$
> ^%(__prefix_line)sUser .+ from <HOST> not allowed because none
> of user's groups are listed in AllowGroups\s*$
>
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
