Hello !! I am running ISPConfig 3 on CentOS 5.2 I would like to know about the exact path of the log file, mentioned in jail.conf for ssh jail I have following lines in my /var/log/messages.... May 2 14:55:07 server1 sshd[17693]: Failed password for root from ::ffff:203.217.188.105 port 49741 ssh2 May 2 14:55:09 server1 sshd[17697]: Failed password for root from ::ffff:203.217.188.105 port 50177 ssh2 May 2 14:55:11 server1 sshd[17699]: Failed password for root from ::ffff:203.217.188.105 port 50446 ssh2 May 2 14:55:13 server1 sshd[17701]: Failed password for root from ::ffff:203.217.188.105 port 50852 ssh2 May 2 14:55:15 server1 sshd[17703]: Failed password for root from ::ffff:203.217.188.105 port 51207 ssh2 May 2 14:55:17 server1 sshd[17705]: Failed password for root from ::ffff:203.217.188.105 port 51487 ssh2 May 2 14:55:19 server1 sshd[17708]: Failed password for root from ::ffff:203.217.188.105 port 51929 ssh2 and a few more..... whereas my /var/log/secure registers only successful login attempts only... Which one I should use as /var/log/secure or /var/log/messages ??
On Debian, there's /var/log/auth.log, but I'm not sure if it exists on CentOS as well. But according to http://www.howtoforge.com/preventing-brute-force-attacks-with-fail2ban-on-fedora9, it's /var/log/secure.
Problem Solved Actually the parameter in /etc/ssh/sshd_config was ------ SyslogFacility AUTH So all the logs were logged to /var/log/messages. I changed AUTH to AUTHPRIV. Now the logs are logged to /var/log/secure and I received 3 emails with banned IPs from fail2ban. I came to know this when I view the file /etc/syslog.conf. Thanks
