auth.log should log instead:
Nov 23 22:43:58 users sshd[4441]: Failed password for root from 1.2.3.4 port 37458 ssh2

and not 'Connection closed by', check your config in /etc/ssh, there might be something in there to modify how auth.log print failed lines.

Maybe in /etc/ssh/sshd_config you need:
PrintLastLog yes




On Sat, Nov 23, 2013 at 10:38 PM, John Thoe <johnthoe@outlook.com> wrote:
Hi community :)

I am using Fail2Ban v0.8.6 on Debian squeeze. My auth.log looks like:

Nov 23 21:50:07 sshd[8142]: Disconnecting: Too many authentication failures for root [preauth]
Nov 23 21:50:12 sshd[8144]: Disconnecting: Too many authentication failures for root [preauth]
Nov 23 21:50:15 sshd[8146]: Disconnecting: Too many authentication failures for root [preauth]
Nov 23 21:50:19 sshd[8148]: Disconnecting: Too many authentication failures for root [preauth]
Nov 23 21:50:23 sshd[8150]: Disconnecting: Too many authentication failures for root [preauth]
Nov 23 21:50:27 sshd[8152]: Disconnecting: Too many authentication failures for root [preauth]
Nov 23 21:50:31 sshd[8154]: Disconnecting: Too many authentication failures for root [preauth]
Nov 23 21:50:35 sshd[8156]: Disconnecting: Too many authentication failures for root [preauth]
Nov 23 21:50:37 sshd[8158]: Connection closed by 6X.XXX.XXX.XXX [preauth]

But fail2ban is not able to ban these attempts. What is wrong here? Google search does not reveal much.

- JT
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users