Oscar,

Thanks for the tip. I'd have to figure out how to do the "__prefix_line" substitution using fail2ban-regex. I tried your filter and it caught all the ones that were missed before.

Now I know if things slip through that it's not the fault of the filter.

Gary

On 04/24/2014 11:43 AM, Oscar del Rio wrote:

On 04/24/14 06:43 AM, Gary Gendel wrote:
Fail2ban seems to randomly miss ssh matches. I've been hacking at the filter but nothing I seem to do works. What regex are others using that works? The line that should catch the ones missed is:

^%(__prefix_line)s\[.*\] Failed (?:password|publickey|none|keyboard-interactive) for .* from <HOST>\s*$


Did you test the rules with the "fail2ban-regex" command?

The following works fine for us:

failregex = (?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$ (?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            Failed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
            ROOT LOGIN REFUSED.* FROM <HOST>\s*$
            [iI](?:llegal|nvalid) user .* from <HOST>\s*$
            Did not receive identification string from <HOST>\s*$
User .+ from <HOST> not allowed because not listed in AllowUsers\s*$ User .+ from <HOST> not allowed because listed in DenyUsers\s*$
            User .+ from <HOST> not allowed because not in any group\s*$
            refused connect from \S+ \(<HOST>\)\s*$
User .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$ User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$



_______________________________________________
OpenIndiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss



_______________________________________________
OpenIndiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss

Reply via email to