First, I apologize if this is not the proper channel for this. I have spent some time trying to track down why fail2ban works on one system but not another when I have made sure all is set up the same. I believe I have tracked it down to the following:
### Fail2ban works with the auth.log in this format. Jul 31 03:29:45 deb-laptop sshd[2753]: Did not receive identification string from 163.172.198.246 Jul 31 03:29:45 deb-laptop sshd[2754]: reverse mapping checking getaddrinfo for 163-172-198-246.rev.poneytelecom.eu [163.172.198.246] fai$ Jul 31 03:29:45 deb-laptop sshd[2754]: Invalid user admin from 163.172.198.246 Jul 31 03:29:45 deb-laptop sshd[2754]: input_userauth_request: invalid user admin [preauth] Jul 31 03:29:46 deb-laptop sshd[2754]: pam_unix(sshd:auth): check pass; user unknown Jul 31 03:29:46 deb-laptop sshd[2754]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.$ Jul 31 03:29:48 deb-laptop sshd[2754]: Failed password for invalid user admin from 163.172.198.246 port 62295 ssh2 Jul 31 03:29:48 deb-laptop sshd[2754]: Received disconnect from 163.172.198.246: 11: Closed due to user request. [preauth] ### Fail2ban does not work with auth.log in this format. Jul 31 03:29:45 deb-pogo auth.info sshd[2753]: Did not receive identification string from 163.172.198.246 Jul 31 03:29:45 deb-pogo auth.info sshd[2754]: reverse mapping checking getaddrinfo for 163-172-198-246.rev.poneytelecom.eu [163.172.198.246] fai$ Jul 31 03:29:45 deb-pogo auth.info sshd[2754]: Invalid user admin from 163.172.198.246 Jul 31 03:29:45 deb-pogo auth.info sshd[2754]: input_userauth_request: invalid user admin [preauth] Jul 31 03:29:46 deb-pogo authpriv.warn sshd[2754]: pam_unix(sshd:auth): check pass; user unknown Jul 31 03:29:46 deb-pogo authpriv.notice sshd[2754]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.$ Jul 31 03:29:48 deb-pogo auth.info sshd[2754]: Failed password for invalid user admin from 163.172.198.246 port 62295 ssh2 Jul 31 03:29:48 deb-pogo auth.info sshd[2754]: Received disconnect from 163.172.198.246: 11: Closed due to user request. [preauth] Note the "auth.info" addition in the second example. ### Yes I know this is only one attempt but I have several hours worth if you wish to read all the attempts from the same IP. ### Need to modify "_prefix line" for "__bsd_syslog_verbose" to be after "__hostname" ### From common.conf # bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or # <auth.info> appearing before the host as per testcases/files/logs/bsd/*. __bsd_syslog_verbose = (<[^.]+\.[^.]+>) # Common line prefixes (beginnings) which could be used in filters # # [bsdverbose]? [hostname] [vserver tag] daemon_id spaces # # This can be optional (for instance if we match named native log files) __prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s* ### A guess at a change to work for the second auth.log did not work. __prefix_line = \s*%(__hostname)s?\s*(?:%(__bsd_syslog_verbose)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s* ### Below is used to make syslogd write to auth.log cat /etc/default/busybox-syslogd # Defaults for busybox-syslogd initscript # This is a POSIX shell fragment sourced by /etc/init.d/busybox-syslogd # Additional options that are passed to the daemons. Default is to log # to ring buffer (to be read with logread(1)) and drop duplicates. SYSLOG_OPTS="-C128" # -S did not remove the additional text KLOG_OPTS="" # in /etc/rc.local /sbin/syslogd -O /var/log/auth.log || exit 1 I do not understand all the ?)% and such to know when one variable ends and another starts. How can I modify the common.conf file to have the "__bsd_syslog_verbose" in the proper location to read the second auth.log file properly? Thank you for any assistance you can provide.
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
