I have been having a problem getting fail2ban to read my log file so it can block unauthorized ssh attempts due to the log format.
It has a problem with auth.info, authpriv.notice and authpriv.warn to be specific. I have not had any luck with modifying the "_prefix_line" variable in common.conf nor the regex in sshd.conf in the fail2ban/filter.d directory to deal with these additional strings.
Does anyone else have fail2ban working properly or do you use something else to keep the barbarians from the door.
Jul 31 03:29:45 deb-pogo auth.info sshd[2753]: Did not receive identification string from 163.172.198.246 Jul 31 03:29:45 deb-pogo auth.info sshd[2754]: reverse mapping checking getaddrinfo for 163-172-198-246.rev.poneytelecom.eu [163.172.198.246] fai$ Jul 31 03:29:45 deb-pogo auth.info sshd[2754]: Invalid user admin from 163.172.198.246 Jul 31 03:29:45 deb-pogo auth.info sshd[2754]: input_userauth_request: invalid user admin [preauth] Jul 31 03:29:46 deb-pogo authpriv.warn sshd[2754]: pam_unix(sshd:auth): check pass; user unknown Jul 31 03:29:46 deb-pogo authpriv.notice sshd[2754]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.$ Jul 31 03:29:48 deb-pogo auth.info sshd[2754]: Failed password for invalid user admin from 163.172.198.246 port 62295 ssh2 Jul 31 03:29:48 deb-pogo auth.info sshd[2754]: Received disconnect from 163.172.198.246: 11: Closed due to user request. [preauth]
It has a problem with auth.info, authpriv.notice and authpriv.warn to be specific. I have not had any luck with modifying the "_prefix_line" variable in common.conf nor the regex in sshd.conf in the fail2ban/filter.d directory to deal with these additional strings.
Does anyone else have fail2ban working properly or do you use something else to keep the barbarians from the door.