Hello... I have a problem I have tried to search for but I am probably not
using the right terms for. I am seeing problems in the log after certain
fail2ban.actions entries and I think that it might just be something that I
have not set up correctly in terms of logging.
I am setting up f2b on RHEL7 machines, specifically el7.2. Specifically the
packaged version at epel right now appears to be 0.9.5. What is happening is
that with specific log entries it appears that rsyslog chokes and many log
entries get munged together with \n line feeds. Logwatch then chokes really
badly on these log entries.
Here is an example with some items sanitized out (and it's truncated a bit, but
you get the idea)
Oct 24 10:02:47 HOSTNAME fail2ban.actions[9531]: ERROR Failed to execute ban
jail 'ssh-repeater' action 'iptables-repeater' info
'CallingMap({'ipjailmatches': <function <lambda> at 0x19130c8>, 'matches': 'Oct
14 15:46:52 HOSTNAME sshd[1805]: Invalid user admin from 111.111.111.111\nOct
14 15:46:52 HOSTNAME sshd[1805]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=111.111.111.111\nOct 14 15:46:54
HOSTNAME sshd[1805]: Failed password for invalid user admin from
111.111.111.111 port 18909 ssh2\nOct 14 15:46:56 HOSTNAME sshd[1805]: Failed
password for invalid user admin from 111.111.111.111 port 18909 ssh2\nOct 14
15:46:59 HOSTNAME sshd[1805]: Failed password for invalid user admin from
111.111.111.111 port 18909 ssh2\nOct 14 15:47:01 HOSTNAME sshd[1805]: Failed
password for invalid user admin from 111.111.111.111 port 18909 ssh2\nOct 14
15:47:04 HOSTNAME sshd[1805]: Failed password for invalid user admin from
111.111.111.111 port 18909 ssh2\nOct
14 15:47:06 HOSTNAME sshd[1805]: Failed password for invalid user admin from
111.111.111.111 port 18909 ssh2\nOct 14 15:47:08 HOSTNAME sshd[1818]: Invalid
user admin from 111.111.111.111\nOct 14 15:47:08 HOSTNAME sshd[1818]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=111.111.111.111\nOct 14 15:47:10 HOSTNAME sshd[1818]: Failed
password for invalid user admin from 111.111.111.111 port 21444 ssh2\nOct 14
15:47:12 HOSTNAME sshd[1818]: Failed password for invalid user admin from
111.111.111.111 port 21444 ssh2\nOct 14 15:47:14 HOSTNAME sshd[1818]: Failed
password for invalid user admin from 111.111.111.111 port 21444 ssh2\nOct 14
15:47:17 HOSTNAME sshd[1818]: Failed password for invalid user admin from
111.111.111.111 port 21444 ssh2\nOct 14 15:47:19 HOSTNAME sshd[1818]: Failed
password for invalid user admin from 111.111.111.111 port 21444 ssh2\nOct 14
15:47:21 HOSTNAME sshd[1818]: Failed password for invalid user admin from
111.111.111.111
port 21444 ssh2\nOct 14 15:47:23 HOSTNAME sshd[1827]: Invalid user admin from
111.111.111.111\nOct 14 15:47:23 HOSTNAME sshd[1827]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=111.111.111.111\nOct 14 15:47:25 HOSTNAME sshd[1827]: Failed password for
invalid user admin from 111.111.111.111 port 23722 ssh2\nOct 14 15:47:28
HOSTNAME sshd[1827]: Failed password for invalid user admin from
111.111.111.111 port 23722 ssh2\nOct 14 15:47:31 HOSTNAME sshd[1831]: Invalid
user service from 111.111.111.111\nOct...
So.. I do know there is an error there that I need to correct, but I am
interested in when these errors do show up that they don't break the logs.
I am not setting anything special in terms of logging. It's just the default
that is in the stock fail2ban.conf. Since I don't see a lot of reports of
similar things happening, is there something I am missing? Should I log
fail2ban errors to a file instead, maybe?
Thanks!
-dcl
Dave LeFevre
Math & Stat Department Linux Systems Administrator
Purdue University College of Science
Phone: 765-49-62202
Outside Purdue Messaging: skype: dave.lefevre.purdue email: [email protected]
Please send your CoS I.T. related support requests to [email protected] or
call 49-44488 for your immediate needs.
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
