From: Yiannis y. <gyi...@ho...> - 2007-04-25 07:33:39
|
Well. i am away right now to provide the logfile. What i did to resolve the problem was installing syslog-ng logger insteat of sysklogd. Thus, without the repeat X times feature i was able to catch the event. ( I am sure that i receive only one line for failed attempts. It may be because of my configuration, but it still happens...) Regards, Yiannis ----Original Message Follows---- From: Yaroslav Halchenko <li...@on...> To: Yiannis yiakoumis <gyi...@ho...> CC: ty...@sc..., fai...@li... Subject: Re: [Fail2ban-users] failregex syntax Date: Mon, 23 Apr 2007 14:01:27 -0400 Are you sure that you see those 'Last message repeated' in /var/log/auth.log? Usually (by default iirc) each attempt to login into ssh server produces multiple log lines 1. to mention that user is unknown 2. failed password 3. various lines from pam authentication module. depending on your setup - you might go around pam authentication (ssh keys)... it would make troubleshooting easier if you provide a sample of your log file with those messages and messages around it... On Mon, 23 Apr 2007, Yiannis yiakoumis wrote: > It seems that it partly works with the default regex. > I say partly because i have the following issue. > I use debian 4.0, and the problem is that when i have more than one identical log messages, they appear in the logfile as > This is the real logline. > Last message repeated X times > Thus, fail2ban doesn't recognize that the event happened more than once, and it doesn't act the way i want. > Any help? > Thanks once again, > Yiannis > ----Original Message Follows---- > From: "Tyler Owen" <ty...@sc...> > Reply-To: ty...@sc... > To: fai...@li... > Subject: Re: [Fail2ban-users] failregex syntax > Date: Mon, 23 Apr 2007 11:28:30 -0500 (CDT) > The default regex should work for you to detect unsuccessful attempts. > The log that you sent is a successful login. Are you wanting to block > successful ones too?? > ----- Original Message ----- > Subject: [Fail2ban-users] failregex syntax > Date: Mon, April 23, 2007 11:49 > From: "Yiannis yiakoumis" <gyi...@ho...> > > Hi all, > > I try to use fail2ban in order to block ips who unsuccessfully try to login > > through ssh to my system. > > The logline of ssh failure is > > Apr 23 17:50:16 rigas sshd[7510]: Accepted password for john from > > 192.168.0.108 port 49650 ssh2 > > Which is the failregex that i should use to block this entry? I tried one > > found in the web, but it was rejected by fail2ban as having compile errors. > > Moreover, is there any howto about how to edit failregex and what all these > > symbols mean?? > > Thanks in advance, > > Yiannis > > _________________________________________________________________ > > Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings > https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > _________________________________________________________________ > Don?t quit your job ? Take Classes Online and Earn your Degree in 1 year. Start Today! > http://www.classesusa.com/clickcount.cfm?id=866146&goto=http%3A%2F%2Fwww.classesusa.com%2Ffeaturedschools%2Fonlinedegreesmp%2Fform-dyn1.html%3Fsplovr%3D866144 > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] _________________________________________________________________ Interest Rates NEAR 39yr LOWS! $430,000 Mortgage for $1,299/mo - Calculate new payment http://www.lowermybills.com/lre/index.jsp?sourceid=lmb-9632-19132&moid=14888 |