[OpenIndiana-discuss] fail2ban for sshd
Gary Gendel
gary at genashor.com
Thu Apr 24 16:16:50 UTC 2014
Oscar,
Thanks for the tip. I'd have to figure out how to do the
"__prefix_line" substitution using fail2ban-regex. I tried your filter
and it caught all the ones that were missed before.
Now I know if things slip through that it's not the fault of the filter.
Gary
On 04/24/2014 11:43 AM, Oscar del Rio wrote:
>
> On 04/24/14 06:43 AM, Gary Gendel wrote:
>> Fail2ban seems to randomly miss ssh matches. I've been hacking at
>> the filter but nothing I seem to do works. What regex are others
>> using that works? The line that should catch the ones missed is:
>>
>> ^%(__prefix_line)s\[.*\] Failed
>> (?:password|publickey|none|keyboard-interactive) for .* from <HOST>\s*$
>
>
> Did you test the rules with the "fail2ban-regex" command?
>
> The following works fine for us:
>
> failregex = (?:error: PAM: )?[aA]uthentication (?:failure|error) for
> .* from <HOST>( via \S+)?\s*$
> (?:error: PAM: )?User not known to the underlying
> authentication module for .* from <HOST>\s*$
> Failed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
> ROOT LOGIN REFUSED.* FROM <HOST>\s*$
> [iI](?:llegal|nvalid) user .* from <HOST>\s*$
> Did not receive identification string from <HOST>\s*$
> User .+ from <HOST> not allowed because not listed in
> AllowUsers\s*$
> User .+ from <HOST> not allowed because listed in
> DenyUsers\s*$
> User .+ from <HOST> not allowed because not in any group\s*$
> refused connect from \S+ \(<HOST>\)\s*$
> User .+ from <HOST> not allowed because a group is listed
> in DenyGroups\s*$
> User .+ from <HOST> not allowed because none of user's
> groups are listed in AllowGroups\s*$
>
>
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
More information about the OpenIndiana-discuss
mailing list