On 10/25/2016 11:38 AM, LeFevre, David C wrote:
> Hello... I have a problem I have tried to search for but I am probably not
> using the right terms for. I am seeing problems in the log after certain
> fail2ban.actions entries and I think that it might just be something that I
> have not set up correctly in terms of logging.
>
> I am setting up f2b on RHEL7 machines, specifically el7.2. Specifically the
> packaged version at epel right now appears to be 0.9.5. What is happening
> is that with specific log entries it appears that rsyslog chokes and many log
> entries get munged together with \n line feeds. Logwatch then chokes really
> badly on these log entries.
>
> Here is an example with some items sanitized out (and it's truncated a bit,
> but you get the idea)
>
> Oct 24 10:02:47 HOSTNAME fail2ban.actions[9531]: ERROR Failed to execute ban
> jail 'ssh-repeater' action 'iptables-repeater' info
> 'CallingMap({'ipjailmatches': <function <lambda> at 0x19130c8>, 'matches':
> 'Oct 14 15:46:52 HOSTNAME sshd[1805]: Invalid user admin from
> 111.111.111.111\nOct 14 15:46:52 HOSTNAME sshd[1805]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=111.111.111.111\nOct 14 15:46:54 HOSTNAME sshd[1805]: Failed password
> for invalid user admin from 111.111.111.111 port 18909 ssh2\nOct 14 15:46:56
> HOSTNAME sshd[1805]: Failed password for invalid user admin from
> 111.111.111.111 port 18909 ssh2\nOct 14 15:46:59 HOSTNAME sshd[1805]: Failed
> password for invalid user admin from 111.111.111.111 port 18909 ssh2\nOct 14
> 15:47:01 HOSTNAME sshd[1805]: Failed password for invalid user admin from
> 111.111.111.111 port 18909 ssh2\nOct 14 15:47:04 HOSTNAME sshd[1805]: Failed
> password for invalid user admin from 111.111.111.111 port 18909 !
> ssh2\nOct 14 15:47:06 HOSTNAME sshd[1805]: Failed password for invalid user
> admin from 111.111.111.111 port 18909 ssh2\nOct 14 15:47:08 HOSTNAME
> sshd[1818]: Invalid user admin from 111.111.111.111\nOct 14 15:47:08 HOSTNAME
> sshd[1818]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=111.111.111.111\nOct 14 15:47:10 HOSTNAME
> sshd[1818]: Failed password for invalid user admin from 111.111.111.111 port
> 21444 ssh2\nOct 14 15:47:12 HOSTNAME sshd[1818]: Failed password for invalid
> user admin from 111.111.111.111 port 21444 ssh2\nOct 14 15:47:14 HOSTNAME
> sshd[1818]: Failed password for invalid user admin from 111.111.111.111 port
> 21444 ssh2\nOct 14 15:47:17 HOSTNAME sshd[1818]: Failed password for invalid
> user admin from 111.111.111.111 port 21444 ssh2\nOct 14 15:47:19 HOSTNAME
> sshd[1818]: Failed password for invalid user admin from 111.111.111.111 port
> 21444 ssh2\nOct 14 15:47:21 HOSTNAME sshd[1818]: Failed password for invalid
> user admin fr!
> om 111.111.111.111 port 21444 ssh2\nOct 14 15:47:23 HOSTNAME sshd[1827]:
> Invalid user admin from 111.111.111.111\nOct 14 15:47:23 HOSTNAME sshd[1827]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
> ruser= rhost=111.111.111.111\nOct 14 15:47:25 HOSTNAME sshd[1827]: Failed
> password for invalid user admin from 111.111.111.111 port 23722 ssh2\nOct 14
> 15:47:28 HOSTNAME sshd[1827]: Failed password for invalid user admin from
> 111.111.111.111 port 23722 ssh2\nOct 14 15:47:31 HOSTNAME sshd[1831]: Invalid
> user service from 111.111.111.111\nOct...
>
> So.. I do know there is an error there that I need to correct, but I am
> interested in when these errors do show up that they don't break the logs.
>
> I am not setting anything special in terms of logging. It's just the default
> that is in the stock fail2ban.conf. Since I don't see a lot of reports of
> similar things happening, is there something I am missing? Should I log
> fail2ban errors to a file instead, maybe?
I suspect you've truncated this output too much. The interesting part is the
stderr output of the action command that is executed. That should tell us why
the action failed.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane [email protected]
Boulder, CO 80301 http://www.nwra.com
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
