From: Tyler O. <ty...@sc...> - 2007-04-23 16:28:40
|
The default regex should work for you to detect unsuccessful attempts. The log that you sent is a successful login. Are you wanting to block successful ones too?? ----- Original Message ----- Subject: [Fail2ban-users] failregex syntax Date: Mon, April 23, 2007 11:49 From: "Yiannis yiakoumis" <gyi...@ho...> > Hi all, > > I try to use fail2ban in order to block ips who unsuccessfully try to login > through ssh to my system. > The logline of ssh failure is > > Apr 23 17:50:16 rigas sshd[7510]: Accepted password for john from > 192.168.0.108 port 49650 ssh2 > > Which is the failregex that i should use to block this entry? I tried one > found in the web, but it was rejected by fail2ban as having compile errors. > Moreover, is there any howto about how to edit failregex and what all these > symbols mean?? > Thanks in advance, > Yiannis > > _________________________________________________________________ > Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings > https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > |
From: Tyler O. <ty...@sc...> - 2007-04-23 16:59:20
|
There is a nice tool that is included with the product called fail2ban-regex that will test your failregex against a logline. If you get a match with fail2ban-regex then you should get a block (or whatever action you have defined) I ran this against your regex and log line (with Failed replacing Accepted) and got a match. Do you get the same result? [tyler@localhost filter.d]$ fail2ban-regex "Apr 23 17:50:16 rigas sshd[7510]: Failed password for john from 192.168.0.108 port 49650 ssh2" "(?:(?:Authentication failure|Failed [-/\w+]+) for(?:[iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED).*(?: from|FROM) <HOST>" Running tests ============= Use regex line : (?:(?:Authentication failure|Failed [-/\w+]+) for(... Use single line: Apr 23 17:50:16 rigas sshd[7510]: Failed password ... Results ======= Failregex: [1] (?:(?:Authentication failure|Failed [-/\w+]+) for(?:[iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED).*(?: from|FROM) <HOST> Number of matches: [1] 1 match(es) Addresses found: [1] 192.168.0.108 (Sun Apr 23 17:50:16 2006) Date template hits: 1 hit: Month Day Hour:Minute:Second 0 hit: Weekday Month Day Hour:Minute:Second Year 0 hit: Year/Month/Day Hour:Minute:Second 0 hit: Day/Month/Year:Hour:Minute:Second 0 hit: Year-Month-Day Hour:Minute:Second 0 hit: TAI64N 0 hit: Epoch Success, the total number of match is 1 However, look at the above section 'Running tests' which could contain important information. ----- Original Message ----- Subject: Re: [Fail2ban-users] failregex syntax Date: Mon, April 23, 2007 12:42 From: "Yiannis yiakoumis" <gyi...@ho...> > Obviously i pasted the wrong logline here. Just replace accepted with failed > for the wanted log. > The regex is like this : > > failregex = (?:(?:Authentication failure|Failed [-/\w+]+) for(?: > [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) > .*(?: from|FROM) <HOST> > > but i cannot see anything like a blocking action after unsuccesful logins... > > Any suggestions?? > Thanks, > Yiannis > > ----Original Message Follows---- > From: "Tyler Owen" <ty...@sc...> > Reply-To: ty...@sc... > To: fai...@li... > Subject: Re: [Fail2ban-users] failregex syntax > Date: Mon, 23 Apr 2007 11:28:30 -0500 (CDT) > > The default regex should work for you to detect unsuccessful attempts. > The log that you sent is a successful login. Are you wanting to block > successful ones too?? > > > > ----- Original Message ----- > Subject: [Fail2ban-users] failregex syntax > Date: Mon, April 23, 2007 11:49 > From: "Yiannis yiakoumis" <gyi...@ho...> > > > Hi all, > > > > I try to use fail2ban in order to block ips who unsuccessfully try to > login > > through ssh to my system. > > The logline of ssh failure is > > > > Apr 23 17:50:16 rigas sshd[7510]: Accepted password for john from > > 192.168.0.108 port 49650 ssh2 > > > > Which is the failregex that i should use to block this entry? I tried one > > found in the web, but it was rejected by fail2ban as having compile > errors. > > Moreover, is there any howto about how to edit failregex and what all > these > > symbols mean?? > > Thanks in advance, > > Yiannis > > > > _________________________________________________________________ > > Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings > > > https://www2.nextag.com/goto.jsp?product=100000035&amp;url=%2fst.jsp&amp;tm=y&amp;search=mortgage_text_links_88_h2bbb&amp;disc=y&amp;vers=925&amp;s=4056&amp;p=5117 > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > _________________________________________________________________ > Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings > https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 > > > |
From: Yiannis y. <gyi...@ho...> - 2007-04-23 16:42:41
|
Obviously i pasted the wrong logline here. Just replace accepted with failed for the wanted log. The regex is like this : failregex = (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST> but i cannot see anything like a blocking action after unsuccesful logins... Any suggestions?? Thanks, Yiannis ----Original Message Follows---- From: "Tyler Owen" <ty...@sc...> Reply-To: ty...@sc... To: fai...@li... Subject: Re: [Fail2ban-users] failregex syntax Date: Mon, 23 Apr 2007 11:28:30 -0500 (CDT) The default regex should work for you to detect unsuccessful attempts. The log that you sent is a successful login. Are you wanting to block successful ones too?? ----- Original Message ----- Subject: [Fail2ban-users] failregex syntax Date: Mon, April 23, 2007 11:49 From: "Yiannis yiakoumis" <gyi...@ho...> > Hi all, > > I try to use fail2ban in order to block ips who unsuccessfully try to login > through ssh to my system. > The logline of ssh failure is > > Apr 23 17:50:16 rigas sshd[7510]: Accepted password for john from > 192.168.0.108 port 49650 ssh2 > > Which is the failregex that i should use to block this entry? I tried one > found in the web, but it was rejected by fail2ban as having compile errors. > Moreover, is there any howto about how to edit failregex and what all these > symbols mean?? > Thanks in advance, > Yiannis > > _________________________________________________________________ > Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings > https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users _________________________________________________________________ Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 |
From: Yiannis y. <gyi...@ho...> - 2007-04-23 16:54:21
|
It seems that it partly works with the default regex. I say partly because i have the following issue. I use debian 4.0, and the problem is that when i have more than one identical log messages, they appear in the logfile as This is the real logline. Last message repeated X times Thus, fail2ban doesn't recognize that the event happened more than once, and it doesn't act the way i want. Any help? Thanks once again, Yiannis ----Original Message Follows---- From: "Tyler Owen" <ty...@sc...> Reply-To: ty...@sc... To: fai...@li... Subject: Re: [Fail2ban-users] failregex syntax Date: Mon, 23 Apr 2007 11:28:30 -0500 (CDT) The default regex should work for you to detect unsuccessful attempts. The log that you sent is a successful login. Are you wanting to block successful ones too?? ----- Original Message ----- Subject: [Fail2ban-users] failregex syntax Date: Mon, April 23, 2007 11:49 From: "Yiannis yiakoumis" <gyi...@ho...> > Hi all, > > I try to use fail2ban in order to block ips who unsuccessfully try to login > through ssh to my system. > The logline of ssh failure is > > Apr 23 17:50:16 rigas sshd[7510]: Accepted password for john from > 192.168.0.108 port 49650 ssh2 > > Which is the failregex that i should use to block this entry? I tried one > found in the web, but it was rejected by fail2ban as having compile errors. > Moreover, is there any howto about how to edit failregex and what all these > symbols mean?? > Thanks in advance, > Yiannis > > _________________________________________________________________ > Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings > https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users _________________________________________________________________ Dont quit your job Take Classes Online and Earn your Degree in 1 year. Start Today! http://www.classesusa.com/clickcount.cfm?id=866146&goto=http%3A%2F%2Fwww.classesusa.com%2Ffeaturedschools%2Fonlinedegreesmp%2Fform-dyn1.html%3Fsplovr%3D866144 |
From: Cyril J. <cyr...@fa...> - 2007-04-23 21:39:40
|
Hi Yiannis, > I use debian 4.0, and the problem is that when i have more than one > identical log messages, they appear in the logfile as > > This is the real logline. > Last message repeated X times > > Thus, fail2ban doesn't recognize that the event happened more than once, > and it doesn't act the way i want. > Some syslog daemons have an option to disable this kind of log compression. There is already a bug report for this: http://sourceforge.net/tracker/index.php?func=detail&aid=1620513&group_id=121032&atid=689044 Regards, Cyril Jaquier |
From: Yaroslav H. <li...@on...> - 2007-04-24 17:30:07
|
Are you sure that you see those 'Last message repeated' in /var/log/auth.log? Usually (by default iirc) each attempt to login into ssh server produces multiple log lines 1. to mention that user is unknown 2. failed password 3. various lines from pam authentication module. depending on your setup - you might go around pam authentication (ssh keys)... it would make troubleshooting easier if you provide a sample of your log file with those messages and messages around it... On Mon, 23 Apr 2007, Yiannis yiakoumis wrote: > It seems that it partly works with the default regex. > I say partly because i have the following issue. > I use debian 4.0, and the problem is that when i have more than one identical log messages, they appear in the logfile as > This is the real logline. > Last message repeated X times > Thus, fail2ban doesn't recognize that the event happened more than once, and it doesn't act the way i want. > Any help? > Thanks once again, > Yiannis > ----Original Message Follows---- > From: "Tyler Owen" <ty...@sc...> > Reply-To: ty...@sc... > To: fai...@li... > Subject: Re: [Fail2ban-users] failregex syntax > Date: Mon, 23 Apr 2007 11:28:30 -0500 (CDT) > The default regex should work for you to detect unsuccessful attempts. > The log that you sent is a successful login. Are you wanting to block > successful ones too?? > ----- Original Message ----- > Subject: [Fail2ban-users] failregex syntax > Date: Mon, April 23, 2007 11:49 > From: "Yiannis yiakoumis" <gyi...@ho...> > > Hi all, > > I try to use fail2ban in order to block ips who unsuccessfully try to login > > through ssh to my system. > > The logline of ssh failure is > > Apr 23 17:50:16 rigas sshd[7510]: Accepted password for john from > > 192.168.0.108 port 49650 ssh2 > > Which is the failregex that i should use to block this entry? I tried one > > found in the web, but it was rejected by fail2ban as having compile errors. > > Moreover, is there any howto about how to edit failregex and what all these > > symbols mean?? > > Thanks in advance, > > Yiannis > > _________________________________________________________________ > > Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings > https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > _________________________________________________________________ > Don?t quit your job ? Take Classes Online and Earn your Degree in 1 year. Start Today! > http://www.classesusa.com/clickcount.cfm?id=866146&goto=http%3A%2F%2Fwww.classesusa.com%2Ffeaturedschools%2Fonlinedegreesmp%2Fform-dyn1.html%3Fsplovr%3D866144 > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Yiannis y. <gyi...@ho...> - 2007-04-25 07:33:39
|
Well. i am away right now to provide the logfile. What i did to resolve the problem was installing syslog-ng logger insteat of sysklogd. Thus, without the repeat X times feature i was able to catch the event. ( I am sure that i receive only one line for failed attempts. It may be because of my configuration, but it still happens...) Regards, Yiannis ----Original Message Follows---- From: Yaroslav Halchenko <li...@on...> To: Yiannis yiakoumis <gyi...@ho...> CC: ty...@sc..., fai...@li... Subject: Re: [Fail2ban-users] failregex syntax Date: Mon, 23 Apr 2007 14:01:27 -0400 Are you sure that you see those 'Last message repeated' in /var/log/auth.log? Usually (by default iirc) each attempt to login into ssh server produces multiple log lines 1. to mention that user is unknown 2. failed password 3. various lines from pam authentication module. depending on your setup - you might go around pam authentication (ssh keys)... it would make troubleshooting easier if you provide a sample of your log file with those messages and messages around it... On Mon, 23 Apr 2007, Yiannis yiakoumis wrote: > It seems that it partly works with the default regex. > I say partly because i have the following issue. > I use debian 4.0, and the problem is that when i have more than one identical log messages, they appear in the logfile as > This is the real logline. > Last message repeated X times > Thus, fail2ban doesn't recognize that the event happened more than once, and it doesn't act the way i want. > Any help? > Thanks once again, > Yiannis > ----Original Message Follows---- > From: "Tyler Owen" <ty...@sc...> > Reply-To: ty...@sc... > To: fai...@li... > Subject: Re: [Fail2ban-users] failregex syntax > Date: Mon, 23 Apr 2007 11:28:30 -0500 (CDT) > The default regex should work for you to detect unsuccessful attempts. > The log that you sent is a successful login. Are you wanting to block > successful ones too?? > ----- Original Message ----- > Subject: [Fail2ban-users] failregex syntax > Date: Mon, April 23, 2007 11:49 > From: "Yiannis yiakoumis" <gyi...@ho...> > > Hi all, > > I try to use fail2ban in order to block ips who unsuccessfully try to login > > through ssh to my system. > > The logline of ssh failure is > > Apr 23 17:50:16 rigas sshd[7510]: Accepted password for john from > > 192.168.0.108 port 49650 ssh2 > > Which is the failregex that i should use to block this entry? I tried one > > found in the web, but it was rejected by fail2ban as having compile errors. > > Moreover, is there any howto about how to edit failregex and what all these > > symbols mean?? > > Thanks in advance, > > Yiannis > > _________________________________________________________________ > > Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings > https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > _________________________________________________________________ > Don?t quit your job ? Take Classes Online and Earn your Degree in 1 year. Start Today! > http://www.classesusa.com/clickcount.cfm?id=866146&goto=http%3A%2F%2Fwww.classesusa.com%2Ffeaturedschools%2Fonlinedegreesmp%2Fform-dyn1.html%3Fsplovr%3D866144 > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] _________________________________________________________________ Interest Rates NEAR 39yr LOWS! $430,000 Mortgage for $1,299/mo - Calculate new payment http://www.lowermybills.com/lre/index.jsp?sourceid=lmb-9632-19132&moid=14888 |