I just upgraded Fedora from 8 to 10. Fail2ban worked very well in core 8 but now it is not working anymore. Fail2ban is running normal but it is not banning because the /var/log/secure log is different: fc8: Aug 3 14:53:34 monica sshd[3954]: Failed password for root from xxx.90.213.110 port 3231 ssh2 fc10: 2009-01-21T22:47:31.848351+02:00 monica sshd[16422]: Failed password for invalid user oracle from xxx.193.4.5 port 55490 ssh2 Fail2ban version is 0.8.3-16. Any solutions?
Ok, sounds good but I have no idea how to do that. I guess the problem is the date stamp so is there any chance to change logger config back to old mode?
Add the following line to the failregex stanza in sshd..conf and restart fail2ban: Code: ^%(__prefix_line)sFailed [-/\w]+ for invalid user .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
Thanks falko, I added the line but still not working. It seems like there is a problem with the time because if I run: fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf Code: ... [4] 77 match(es) ... Addresses found: ... xxx.193.4.5 (Wed Jan 21 20:47:35 2009) ... 31157 hit(s): ISO 8601 Success, the total number of match is 181 But /var/log/secure says: Code: 2009-01-21T22:47:35.525108+02:00 monica sshd[16424]: Invalid user test from xxx.193.4.5 What can I do with that?
That's a different error message; I think it should be covered by the ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ regex.
When I run regex it is working OK but there's wrong time. For some reason it decrease 2 hours which is marked to secure log (+02:00). example, regex: xxx.193.4.5 (Wed Jan 21 20:47:35 2009) <-> secure log: 2009-01-21T22:47:35.525108+02:00 If I edit secure log timezone to +00:00 and run regex, the time is ok. Should I change fail2ban config somehow, timezone settings or what?
Problem solved, this is post from Cyril Jaquier: Replace utctimetuple with timetuple in datetemplate.py. Code: if dateMatch: # Parses the date. value = dateMatch.group() - - date = list(iso8601.parse_date(value).utctimetuple()) + date = list(iso8601.parse_date(value).timetuple()) return date https://sourceforge.net/tracker2/index.php?func=detail&aid=2500276&group_id=121032&atid=689044 The fix will be in 0.8.4.