On 2/7/2018 2:14 PM, Palvelin Postmaster via Fail2ban-users wrote:
> I need an appropriate log filter to match this line type for sshd:
>
> YYYY-MM-DD HH:MM:SS:XXXXXX+GMT hostname sshd[<process_id>]: error: PAM:
> authentication error for <username> XXX.XXX.XXX.XXX
>
> Example:
>
> 2018-02-07 22:03:44.009330+0200 localhost sshd[1348]: error: PAM:
> authentication error for testuser from 192.168.168.2
Have you tested with fail2ban-regex? For example something like the
following.
$ fail2ban-regex "2018-02-07 22:03:44.009330+0200 localhost sshd[1348]:
error: PAM: authentication error for testuser from 192.168.168.2"
/etc/fail2ban/filter.d/ssh.d
does match, output:
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : Default Detectors
Use single line : 2018-02-07 22:03:44.009330+0200 localhost sshd[13...
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^[aA]uthentication (?:failure|error|failed) for
<F-USER>.*</F-USER> from <HOST>( via \S+)?\s*(?: \[preauth\])?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day[T
]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.01 sec]
> And this for Webmin:
>
> XXX.XXX.XXX.XXX - - [DD/MMM/YYYY:HH:MM:SS +GMT ”POST /session_login.cgi
> HTTP/X.X” 401 <id>
>
> Example:
>
> 192.168.168.2 - - [04/Feb/2018:23:01:52 +0200] "POST /session_login.cgi
> HTTP/1.1" 401 2333
>
> So, here I need to match 'POST /session_login.cgi HTTP’ followed by ’401'
This one doesn't match anything in the current webmin-auth.conf; so
let's try our own:
$ fail2ban-regex "192.168.168.2 - - [04/Feb/2018:23:01:52 +0200] \"POST
/session_login.cgi HTTP/1.1\" 401 2333" "^<HOST> - - .*\"POST
.*session_login.cgi.* 401 .*$"
Running tests
=============
Use failregex line : ^<HOST> - - .*"POST .*session_login.cgi.* 401 .*$
Use single line : 192.168.168.2 - - [04/Feb/2018:23:01:52 +0200] "PO...
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^<HOST> - - .*"POST .*session_login.cgi.* 401 .*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.20 sec]
Hope this helps.
--
René Berber
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
