So after my last apt-get update && apt-get upgrade && apt-get dist-upgrade my Fail2Ban got upgraded to 0.9.5 without any problems and I double checked the configurations but it seems as if it’s not working anymore.
Here are some logs from failed logins in my /var/log/auth.log
Aug 30 03:39:02 ns3031426 sshd[25824]: Invalid user admin from xx.xxx.xxx.xxx port 45282
Normally such a try should be recognized by fail2ban. I double checked the fail2ban logs and saw that nothing got registered in that time range. After searching on the web I found out about the fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf command. My problem is that the regex doesn’t recognize failed attempts anymore. I always get this result back:
Running tests ============= Use failregex filter file : sshd, basedir: /etc/fail2ban Use maxlines : 10 Use log file : /var/log/auth.log Use encoding : ANSI_X3.4-1968 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [9739] (?:DAY )?MON Day 24hour:Minute:Second(?:.Microseconds)?(?: Year)? `- Lines: 9739 lines, 0 ignored, 0 matched, 9739 missed [processed in 3.16 sec] Missed line(s): too many to print. Use --print-all-missed to print all 9739 lines
What’s the problem here? I realized that my logging changed too. Before I updated the system the logs didn’t have any information about the port and after updating it it logs the port with it. Example given:
Old logging: Aug 27 16:40:09 ns3031426 sshd[13245]: Invalid user oracle from xx.xxx.xxx.xxx New logging: Aug 30 03:39:02 ns3031426 sshd[25824]: Invalid user admin from xx.xxx.xxx.xxx port 45282
Thanks for your help.
Advertisement
Answer
So it turned out to be a general problem that came up with the changed format of sshd logs. You can find the status here: https://github.com/fail2ban/fail2ban/issues/1533
Best regards