Zurd, Thanks for the regex for the "POSSIBLE BREAK-IN" entries. I will
test and add to my custom filter.
But I was concerned that the stock sshd filter should be catching the
"authentication failure" and "Failed password" entries...
Can you suggest a new regex that will allow sshd to catch these?
Thanks
dave
On 7/6/2016 7:11 PM, Zurd wrote:
https://sourceforge.net/p/fail2ban/mailman/message/28882147/
Looks like someone else ask for this filter to be added too back in
2012 but there was no answer unfortunately.
Add this in /etc/fail2ban/filter.d/sshd.conf:
^%(__prefix_line)sreverse mapping checking getaddrinfo for .*
\[<HOST>\] failed - POSSIBLE BREAK-IN ATTEMPT!\s*$
And try again:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Or
fail2ban-regex 'Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping
checking getaddrinfo for host-237-6-12-185.cloudsigma.net
<http://host-237-6-12-185.cloudsigma.net> [185.12.6.237] failed -
POSSIBLE BREAK-IN ATTEMPT!' /etc/fail2ban/filter.d/sshd.conf
On Wed, Jul 6, 2016 at 5:34 PM, <[email protected]
<mailto:[email protected]>> wrote:
Shouldn't the stock sshd.conf filter be catching these
authentication failures? If not... can someone suggest a new regex
line that will?
thanks,
dave*
auth.log*
Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping checking
getaddrinfo for host-237-6-12-185.cloudsigma.net
<http://host-237-6-12-185.cloudsigma.net> [185.12.6.237] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 6 11:50:52 Webserver sshd[10275]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=185.12.6.237 user=root
Jul 6 11:50:55 Webserver sshd[10275]: Failed password for root
from 185.12.6.237 port 55199 ssh2
Jul 6 11:51:02 Webserver sshd[10275]: Received disconnect from
185.12.6.237 <http://185.12.6.237>: 11: Bye Bye [preauth]
Jul 6 11:51:02 Webserver sshd[10277]: reverse mapping checking
getaddrinfo for host-237-6-12-185.cloudsigma.net
<http://host-237-6-12-185.cloudsigma.net> [185.12.6.237] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 6 11:51:02 Webserver sshd[10277]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=185.12.6.237 user=root
Jul 6 11:51:04 Webserver sshd[10277]: Failed password for root
from 185.12.6.237 port 56339 ssh2
Jul 6 11:51:04 Webserver sshd[10277]: Received disconnect from
185.12.6.237 <http://185.12.6.237>: 11: Bye Bye [preauth]
Jul 6 11:51:04 Webserver sshd[10279]: reverse mapping checking
getaddrinfo for host-237-6-12-185.cloudsigma.net
<http://host-237-6-12-185.cloudsigma.net> [185.12.6.237] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 6 11:51:04 Webserver sshd[10279]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=185.12.6.237 user=root
Jul 6 11:51:06 Webserver sshd[10279]: Failed password for root
from 185.12.6.237 port 56581 ssh2
Jul 6 11:51:06 Webserver sshd[10279]: Received disconnect from
185.12.6.237 <http://185.12.6.237>: 11: Bye Bye [preauth]
Jul 6 11:51:07 Webserver sshd[10281]: reverse mapping checking
getaddrinfo for host-237-6-12-185.cloudsigma.net
<http://host-237-6-12-185.cloudsigma.net> [185.12.6.237] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 6 11:51:07 Webserver sshd[10281]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=185.12.6.237 user=root
Jul 6 11:51:09 Webserver sshd[10281]: Failed password for root
from 185.12.6.237 port 56874 ssh2
<snip>
*jail.local*
[ssh]
enabled = true
port = ssh,sftp
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
*sshd.conf*
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication
(?:failure|error) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to
the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?:
port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA
)?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from
<HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed
because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed
because listed in DenyUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed
because not in any group\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed
because a group is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed
because none of user's groups are listed in AllowGroups\s*$
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
