This is still going on. Any ideas why fail2ban is not blocking it?

Here is a new sample:
/var/log/fail2ban.log
2012-05-06 06:31:01,970 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:31:01,970 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:31:02,971 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:31:02,972 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:31:39,012 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:31:39,013 fail2ban.filter : DEBUG  Found 91.93.190.220
2012-05-06 06:31:39,013 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:31:41,015 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:31:41,015 fail2ban.filter : DEBUG  Found 91.93.190.220
2012-05-06 06:31:41,016 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:31:44,018 fail2ban.filter : DEBUG  /var/log/auth.log has been modified

/var/log/auth.log
May  6 06:31:38 ym-linode-01 sshd[3198]: reverse mapping checking getaddrinfo for host-91-93-190-220.teletektelekom.com [91.93.190.220] failed - POSSIBLE BREAK-IN ATTEMPT!
May  6 06:31:38 ym-linode-01 sshd[3198]: Invalid user 173.252.247.173 from 91.93.190.220
May  6 06:31:38 ym-linode-01 sshd[3198]: pam_unix(sshd:auth): check pass; user unknown
May  6 06:31:38 ym-linode-01 sshd[3198]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.93.190.220
May  6 06:31:40 ym-linode-01 sshd[3198]: Failed password for invalid user 173.252.247.173 from 91.93.190.220 port 39245 ssh2
May  6 06:31:40 ym-linode-01 sshd[3198]: pam_unix(sshd:auth): check pass; user unknown
May  6 06:31:43 ym-linode-01 sshd[3198]: Failed password for invalid user 173.252.247.173 from 91.93.190.220 port 39245 ssh2
May  6 06:31:43 ym-linode-01 sshd[3198]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.93.190.220

Here is today's LOGWATCH. Fail2ban should be catching this:
Illegal users from:
  91.93.190.220 (host-91-93-190-220.teletektelekom.com): 60 times
     173.252.254.129: 2 times
     173.252.254.144: 2 times
     173.252.254.167: 2 times
     173.252.254.176: 2 times
     173.252.254.198: 2 times
     173.252.254.237: 2 times
     173.252.254.244: 2 times
     173.252.254.245: 2 times
     173.252.255.104: 2 times
     173.252.255.106: 2 times
     173.252.255.113: 2 times
     173.252.255.120: 2 times
     173.252.255.123: 2 times
     173.252.255.124: 2 times
     173.252.255.126: 2 times
     173.252.255.202: 2 times
     173.252.255.244: 2 times
     173.252.255.245: 2 times
     173.252.255.58: 2 times
     173.252.255.82: 2 times
     173.252.255.86: 2 times
     173.252.255.89: 2 times
     173.252.255.90: 2 times
     173.252.255.92: 2 times
     173.252.255.95: 2 times
     173.252.255.98: 2 times
     173.254.0.20: 2 times
     173.254.0.32: 2 times
     173.254.0.39: 2 times
     173.254.0.59: 2 times

- Y

On Sun, May 6, 2012 at 9:10 AM, Yehuda Katz <yehuda@ymkatz.net> wrote:

On Sat, May 5, 2012 at 9:45 PM, Yehuda Katz <yehuda@ymkatz.net> wrote:
Fail2Ban v0.8.4

I enabled DEBUG (I had to disable my jail that watches the Fail2Ban log for repeat failures and bans them for longer, because the debug messages in the log trigger the filter which adds more messages to the log when it runs, and wastes system resources at best.)

Is there a way to get fail2ban to reprocess that log file (before logrotate gets to it)?


On Sat, May 5, 2012 at 2:16 AM, Yaroslav Halchenko <lists@onerussian.com> wrote:
uuu -- might be trying to perform a DoS on 173.252.234.0/24 ie
take2hosting.com

so -- you would need to turn debug mode on (check your fail2ban.conf)
and share such precious information as fail2ban version you are using ;)

On Fri, 04 May 2012, Yehuda Katz wrote:

>    I ran into the follow issue on one of our servers. I was reviewing our
>    logwatch messages today and I noticed that a single host was able to try
>    to log in 46 times (should have been banned for a week).
>    Fail2ban is banning other SSH attackers, the difference is that this one
>    is using IP addresses as the user name.
>    I posted the log on pastebin so that it does not lose its
>    formatting:�[1]http://pastebin.com/raw.php?i=cSS9tc2R
>    Thoughts on why this is not being banned?
>    (I will admit that I have not done any of my own investigation. Next week
>    is finals week and I just don't have time now.)
--
Yaroslav O. Halchenko
Postdoctoral Fellow,   Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users