Fail2ban IS banning other attacks from that log, just not when the username is in the format of an IP address.

Example:
/var/log/auth.log
May  6 06:49:22 ym-linode-01 sshd[3376]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=014198069230.ctinets.com  user=root
May  6 06:49:24 ym-linode-01 sshd[3376]: Failed password for root from 14.198.69.230 port 20602 ssh2
May  6 06:49:26 ym-linode-01 sshd[3378]: Invalid user oracle from 14.198.69.230
May  6 06:49:26 ym-linode-01 sshd[3378]: pam_unix(sshd:auth): check pass; user unknown
May  6 06:49:26 ym-linode-01 sshd[3378]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=014198069230.ctinets.com
May  6 06:49:28 ym-linode-01 sshd[3378]: Failed password for invalid user oracle from 14.198.69.230 port 20913 ssh2
May  6 06:49:31 ym-linode-01 sshd[3380]: Invalid user oracle from 14.198.69.230
May  6 06:49:31 ym-linode-01 sshd[3380]: pam_unix(sshd:auth): check pass; user unknown
May  6 06:49:31 ym-linode-01 sshd[3380]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=014198069230.ctinets.com
May  6 06:49:33 ym-linode-01 sshd[3380]: Failed password for invalid user oracle from 14.198.69.230 port 21232 ssh2
May  6 06:49:35 ym-linode-01 sshd[3382]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=014198069230.ctinets.com  user=root
May  6 06:49:37 ym-linode-01 sshd[3382]: Failed password for root from 14.198.69.230 port 21581 ssh2

/var/log/fail2ban.log
2012-05-06 06:49:23,238 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:49:23,239 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:49:25,240 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:49:25,241 fail2ban.filter : DEBUG  Found 14.198.69.230
2012-05-06 06:49:25,241 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:49:27,243 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:49:27,244 fail2ban.filter : DEBUG  Found 14.198.69.230
2012-05-06 06:49:27,244 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:49:29,245 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:49:29,246 fail2ban.filter : DEBUG  Found 14.198.69.230
2012-05-06 06:49:29,246 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:49:32,249 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:49:32,249 fail2ban.filter : DEBUG  Found 14.198.69.230
2012-05-06 06:49:32,250 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:49:34,251 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:49:34,252 fail2ban.filter : DEBUG  Found 14.198.69.230
2012-05-06 06:49:34,252 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:49:36,254 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:49:36,255 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:49:38,256 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:49:38,256 fail2ban.filter : DEBUG  Found 14.198.69.230
2012-05-06 06:49:38,257 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:49:39,257 fail2ban.actions: WARNING [ssh] Ban 14.198.69.230



- Y

On Thu, May 10, 2012 at 12:20 PM, bob <bob@bobhoffman.com> wrote:
On 5/10/2012 12:02 PM, Yehuda Katz wrote:
This is still going on. Any ideas why fail2ban is not blocking it?

Here is a new sample:
/var/log/fail2ban.log
2012-05-06 06:31:01,970 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:31:01,970 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:31:02,971 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:31:02,972 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-05-06 06:31:39,012 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2012-05-06 06:31:39,013 fail2ban.filter : DEBUG  Found 91.93.190.220
2012-05-06 06:31:39,013 fail2ban.filter.datedetector: DEBUG  Sorting the 
whatever logfile all the attempts are in...look for a jail in jail.conf that is using it..
then check the .conf file for that jail and see if there is a regex to look for it.
I guarantee unless you added something for mapping, there is not.