Anyone to help, please? Log entries samples: | Oct 25 09:57:25 localhost sshd[17377]: Disconnecting invalid user user 185.246.128.25 port 39598: Change of username or service not allowed: (user,ssh-connection) -> (admin,ssh-connection) [preauth] | Oct 25 09:58:34 localhost sshd[17381]: Disconnecting invalid user admin 185.246.128.25 port 22937: Change of username or service not allowed: (admin,ssh-connection) -> (root,ssh-connection) [preauth] | Oct 25 09:59:02 localhost sshd[17385]: Disconnecting authenticating user root 185.246.128.25 port 33103: Change of username or service not allowed: (root,ssh-connection) -> (,ssh-connection) [preauth] | Oct 25 09:59:23 localhost sshd[17387]: Disconnecting invalid user 185.246.128.25 port 6306: Change of username or service not allowed: (,ssh-connection) -> (root,ssh-connection) [preauth] | Oct 25 10:00:32 localhost sshd[17399]: Disconnecting authenticating user root 185.246.128.25 port 59009: Change of username or service not allowed: (root,ssh-connection) -> (0,ssh-connection) [preauth]
I have added regex to catch: ^Disconnecting (?:authenticating|invalid) user .* <HOST>%(__on_port_opt)s:.*%(__suff)s$ After checking with fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf --print-all-missed > missed.txt all those entries are missed. What is wrong with regex, please?
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
