[OpenIndiana-discuss] fail2ban for sshd
Gary Gendel
gary at genashor.com
Thu Apr 24 10:43:02 UTC 2014
Fail2ban seems to randomly miss ssh matches. I've been hacking at the
filter but nothing I seem to do works. What regex are others using that
works? The line that should catch the ones missed is:
^%(__prefix_line)s\[.*\] Failed
(?:password|publickey|none|keyboard-interactive) for .* from <HOST>\s*$
But it missed the following sequence:
Apr 23 02:10:07 phoenix sshd[24164]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 47526 ssh2
Apr 23 02:10:07 phoenix last message repeated 1 time
Apr 23 02:10:07 phoenix sshd[24164]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:10 phoenix sshd[24168]: [ID 800047 auth.info] Illegal user
teamspeak from 94.23.167.219
Apr 23 02:10:10 phoenix sshd[24168]: [ID 800047 auth.info]
input_userauth_request: illegal user teamspeak
Apr 23 02:10:10 phoenix sshd[24168]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 56338 ssh2
Apr 23 02:10:11 phoenix sshd[24168]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:13 phoenix sshd[24176]: [ID 800047 auth.info] Illegal user
git from 94.23.167.219
Apr 23 02:10:13 phoenix sshd[24176]: [ID 800047 auth.info]
input_userauth_request: illegal user git
Apr 23 02:10:13 phoenix sshd[24176]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 49509 ssh2
Apr 23 02:10:13 phoenix sshd[24176]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:16 phoenix sshd[24180]: [ID 800047 auth.info] Illegal user
openvpn from 94.23.167.219
Apr 23 02:10:16 phoenix sshd[24180]: [ID 800047 auth.info]
input_userauth_request: illegal user openvpn
Apr 23 02:10:16 phoenix sshd[24180]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 40390 ssh2
Apr 23 02:10:16 phoenix sshd[24180]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:19 phoenix sshd[24184]: [ID 800047 auth.info] Illegal user
scan from 94.23.167.219
Apr 23 02:10:19 phoenix sshd[24184]: [ID 800047 auth.info]
input_userauth_request: illegal user scan
Apr 23 02:10:19 phoenix sshd[24184]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 52773 ssh2
Apr 23 02:10:19 phoenix sshd[24184]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:22 phoenix sshd[24188]: [ID 800047 auth.info] Illegal user
user1 from 94.23.167.219
Apr 23 02:10:22 phoenix sshd[24188]: [ID 800047 auth.info]
input_userauth_request: illegal user user1
Apr 23 02:10:22 phoenix sshd[24188]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 51324 ssh2
Apr 23 02:10:22 phoenix sshd[24188]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:24 phoenix sshd[24192]: [ID 800047 auth.info] Illegal user
dave from 94.23.167.219
Apr 23 02:10:24 phoenix sshd[24192]: [ID 800047 auth.info]
input_userauth_request: illegal user dave
Apr 23 02:10:24 phoenix sshd[24192]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 49466 ssh2
Apr 23 02:10:25 phoenix sshd[24192]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:27 phoenix sshd[24196]: [ID 800047 auth.info] Illegal user
redmine from 94.23.167.219
Apr 23 02:10:27 phoenix sshd[24196]: [ID 800047 auth.info]
input_userauth_request: illegal user redmine
Apr 23 02:10:27 phoenix sshd[24196]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 51089 ssh2
Apr 23 02:10:27 phoenix sshd[24196]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:30 phoenix sshd[24200]: [ID 800047 auth.info] Illegal user
test3 from 94.23.167.219
Apr 23 02:10:30 phoenix sshd[24200]: [ID 800047 auth.info]
input_userauth_request: illegal user test3
Apr 23 02:10:30 phoenix sshd[24200]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 43856 ssh2
Apr 23 02:10:30 phoenix sshd[24200]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:33 phoenix sshd[24204]: [ID 800047 auth.info] Illegal user
admin from 94.23.167.219
Apr 23 02:10:33 phoenix sshd[24204]: [ID 800047 auth.info]
input_userauth_request: illegal user admin
Apr 23 02:10:33 phoenix sshd[24204]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 43481 ssh2
Apr 23 02:10:33 phoenix sshd[24204]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:36 phoenix sshd[24208]: [ID 800047 auth.info] Illegal user
admin1 from 94.23.167.219
Apr 23 02:10:36 phoenix sshd[24208]: [ID 800047 auth.info]
input_userauth_request: illegal user admin1
Apr 23 02:10:36 phoenix sshd[24208]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 39561 ssh2
Apr 23 02:10:36 phoenix sshd[24208]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:38 phoenix sshd[24212]: [ID 800047 auth.info] User root not
allowed because not listed in AllowUsers
Apr 23 02:10:38 phoenix sshd[24212]: [ID 800047 auth.info]
input_userauth_request: illegal user root
Apr 23 02:10:38 phoenix sshd[24212]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 55985 ssh2
Apr 23 02:10:39 phoenix sshd[24212]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:42 phoenix sshd[24216]: [ID 800047 auth.info] Illegal user
admin from 94.23.167.219
Apr 23 02:10:42 phoenix sshd[24216]: [ID 800047 auth.info]
input_userauth_request: illegal user admin
Apr 23 02:10:42 phoenix sshd[24216]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 57422 ssh2
Apr 23 02:10:42 phoenix last message repeated 1 time
Apr 23 02:10:42 phoenix sshd[24216]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:45 phoenix sshd[24220]: [ID 800047 auth.info] Illegal user
test from 94.23.167.219
Apr 23 02:10:45 phoenix sshd[24220]: [ID 800047 auth.info]
input_userauth_request: illegal user test
Apr 23 02:10:45 phoenix sshd[24220]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 60542 ssh2
Apr 23 02:10:46 phoenix sshd[24220]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:48 phoenix sshd[24224]: [ID 800047 auth.info] User root not
allowed because not listed in AllowUsers
Apr 23 02:10:48 phoenix sshd[24224]: [ID 800047 auth.info]
input_userauth_request: illegal user root
Apr 23 02:10:48 phoenix sshd[24224]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 54593 ssh2
Apr 23 02:10:49 phoenix last message repeated 2 times
Apr 23 02:10:49 phoenix sshd[24224]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
Apr 23 02:10:54 phoenix sshd[24228]: [ID 800047 auth.info] User root not
allowed because not listed in AllowUsers
Apr 23 02:10:54 phoenix sshd[24228]: [ID 800047 auth.info]
input_userauth_request: illegal user root
Apr 23 02:10:54 phoenix sshd[24228]: [ID 800047 auth.info] Failed
password for <invalid username> from 94.23.167.219 port 37988 ssh2
Apr 23 02:10:55 phoenix last message repeated 1 time
Apr 23 02:10:55 phoenix sshd[24228]: [ID 800047 auth.info] Connection
closed by 94.23.167.219
More information about the OpenIndiana-discuss
mailing list