I have noticed that multiple password attempts on SSH don't get blocked
at all. While testing the regexes, I have found that my logs choke on
"^%(__prefix_line)s"
The following doesn't work:
$ fail2ban-regex \
"May 30 21:03:25 vps docker/ftps[1346]: Failed password for
teresaejunior from 1.2.3.4 port 50714 ssh2" \
'^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?:
ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(,
client user ".*", client host ".*")?))?\s*$'
The following works (removed ^%(__prefix_line)s)
$ fail2ban-regex \
"May 30 21:03:25 vps docker/ftps[1346]: Failed password for
teresaejunior from 1.2.3.4 port 50714 ssh2" \
'Failed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser
.*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*",
client host ".*")?))?\s*$'
The system is Ubuntu 16.04.4 (actually, my log doesn't match against the
new regex rules of /etc/fail2ban/filter.d/sshd.conf on Ubuntu 18.04 either).
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
