Skip to content
Advertisement

fail2ban regex stopped working [Debian 8 – Jessie]

So after my last apt-get update && apt-get upgrade && apt-get dist-upgrade my Fail2Ban got upgraded to 0.9.5 without any problems and I double checked the configurations but it seems as if it’s not working anymore.

Here are some logs from failed logins in my /var/log/auth.log

Aug 30 03:39:02 ns3031426 sshd[25824]: Invalid user admin from xx.xxx.xxx.xxx port 45282

Normally such a try should be recognized by fail2ban. I double checked the fail2ban logs and saw that nothing got registered in that time range. After searching on the web I found out about the fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf command. My problem is that the regex doesn’t recognize failed attempts anymore. I always get this result back:

Running tests
=============

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use         maxlines : 10
Use         log file : /var/log/auth.log
Use         encoding : ANSI_X3.4-1968


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [9739] (?:DAY )?MON Day 24hour:Minute:Second(?:.Microseconds)?(?: Year)?
`-

Lines: 9739 lines, 0 ignored, 0 matched, 9739 missed
[processed in 3.16 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 9739 lines

What’s the problem here? I realized that my logging changed too. Before I updated the system the logs didn’t have any information about the port and after updating it it logs the port with it. Example given:

Old logging: Aug 27 16:40:09 ns3031426 sshd[13245]: Invalid user oracle from xx.xxx.xxx.xxx
New logging: Aug 30 03:39:02 ns3031426 sshd[25824]: Invalid user admin from xx.xxx.xxx.xxx port 45282

Thanks for your help.

Advertisement

Answer

So it turned out to be a general problem that came up with the changed format of sshd logs. You can find the status here: https://github.com/fail2ban/fail2ban/issues/1533

Best regards

User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement