Bonjour, J'ai debian 6.0.5 "squeeze" sur un Seagate Freeagent Dockstar. fail2ban installé, démarre normalement, mais n'écrit rien sur /var/log/fail2ban.log.
_______________________________________________ Une jail SSH est activée : *root@debian:~# fail2ban-client -d* WARNING 'findtime' not defined in 'ssh'. Using default value ['set', 'loglevel', 3] ['set', 'logtarget', '/var/log/fail2ban.log'] ['add', 'ssh', 'polling'] ['set', 'ssh', 'addlogpath', '/var/log/auth.log'] ... ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$'] ... ['set', 'ssh', 'addaction', 'iptables-multiport'] ['set', 'ssh', 'actionban', 'iptables-multiport', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP'] ... ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'name', 'ssh'] ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'port', 'ssh'] ['start', 'ssh'] ________________________________________________ L'interprétation des logs lus dans /var/log/auth.log se fait bien : *root@debian:~# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf* /usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead import md5 ...2013-02-19 11:03:31,253 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN 2013-02-19 11:03:31,274 fail2ban.jail : INFO Creating new jail 'ssh' 2013-02-19 11:03:31,275 fail2ban.jail : INFO Jail 'ssh' uses poller 2013-02-19 11:03:31,303 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2013-02-19 11:03:31,309 fail2ban.filter : INFO Set maxRetry = 6 2013-02-19 11:03:31,320 fail2ban.filter : INFO Set findtime = 600 2013-02-19 11:03:31,325 fail2ban.actions: INFO Set banTime = 600 2013-02-19 11:03:31,655 fail2ban.jail : INFO Jail 'ssh' started Running tests Use regex file : /etc/fail2ban/filter.d/sshd.conf Use log file : /var/log/auth.log ... 118.192.2.50 (Tue Feb 19 05:28:49 2013) 118.192.2.50 (Tue Feb 19 05:28:53 2013) 118.192.2.50 (Tue Feb 19 05:28:58 2013) ... *Success, the total number of match is 691* _______________________________________________ Voilà le contenu de /var/log/fail2ban.log quand je restart : 2013-02-19 12:41:22,203 fail2ban.jail : INFO Jail 'ssh' stopped 2013-02-19 12:41:22,274 fail2ban.server : INFO Exiting Fail2ban 2013-02-19 12:41:24,634 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN 2013-02-19 12:41:24,640 fail2ban.jail : INFO Creating new jail 'ssh' 2013-02-19 12:41:24,641 fail2ban.jail : INFO Jail 'ssh' uses poller 2013-02-19 12:41:24,809 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2013-02-19 12:41:24,816 fail2ban.filter : INFO Set maxRetry = 6 2013-02-19 12:41:24,826 fail2ban.filter : INFO Set findtime = 600 2013-02-19 12:41:24,831 fail2ban.actions: INFO Set banTime = 600 2013-02-19 12:41:25,456 fail2ban.jail : INFO Jail 'ssh' started ________________________________________________ Et pourtant les tentatives d'accès root par ssh ne sont pas mises dedans, et ne sont pas bloquées par fail2ban ? Où je dois regarder ? Merci !