From: Frederic B. <fre...@gm...> - 2010-07-01 12:48:16
|
Hello everyone, First I would like to thanks the guys who develop and maintain this very usefull tool. On Ubuntu 10.04 (libpam-modules version: 1.1.1-2ubuntu2) I have installed the version 0.8.4-1ubuntu1 of fail2ban and can not manage to make it work due to the fact that I got only one line for multiple failled connections as you can see in the following messages in /var/log/auth.log: Jul 1 13:41:55 toto sshd[5523]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=toto.pck.nerim.net user=toto Jul 1 13:41:56 toto sshd[5523]: *Failed password for toto from > 213.41.133.174 port 50030 ssh2* Jul 1 13:42:29 toto sshd[5523]: *last message repeated 5 time*s Jul 1 13:42:29 toto sshd[5523]: PAM 5 more authentication failures; > logname= uid=0 euid=0 tty=ssh ruser= rhost=toto.pck.nerim.net user=toto Jul 1 13:42:29 toto sshd[5523]: PAM service(sshd) ignoring max retries; 6 > > 3 My jail.local looks like: [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 bantime = 3600 maxretry = 3 findtime = 600 > [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=yo...@ma..., sender=fai...@ma...] logpath = /var/log/auth.log Do you have any clue on the way to solve this issue? Thanks in advance, Frederic |
From: Arturo 'B. B. <bu...@bu...> - 2010-07-01 14:06:21
|
On 07/01/2010 09:48 AM, Frederic BOUY wrote: > installed the version 0.8.4-1ubuntu1 of fail2ban and can not manage to > make it work due to the fact that I got only one line for multiple > failled connections as you can see in the following messages in > /var/log/auth.log: > > Jul 1 13:42:29 toto sshd[5523]: *last message repeated 5 time*s > Do you have any clue on the way to solve this issue? sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' /etc/rsyslog.conf That command changes 'on' to 'off' for the RepeatedMsgReduction configuration parameter for /etc/rsyslog.conf After that, restart rsyslog with: sudo service rsyslog restart -- Arturo "Buanzo" Busleiman Independent Linux and Security Consultant - OWASP - SANS - OISSG http://www.buanzo.com.ar/pro/eng.html |
From: Yaroslav H. <li...@on...> - 2010-07-01 16:34:16
|
Bravo Arturo, Closing elderly bug report with this email, see below for the resolution on how to achieve such desired feature by adjusting your logging daemon configuration. On Thu, 01 Jul 2010, Arturo 'Buanzo' Busleiman wrote: > > installed the version 0.8.4-1ubuntu1 of fail2ban and can not manage to > > make it work due to the fact that I got only one line for multiple > > failled connections as you can see in the following messages in > > /var/log/auth.log: > > Jul 1 13:42:29 toto sshd[5523]: *last message repeated 5 time*s > > Do you have any clue on the way to solve this issue? > sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' /etc/rsyslog.conf > That command changes 'on' to 'off' for the RepeatedMsgReduction configuration parameter for > /etc/rsyslog.conf > After that, restart rsyslog with: > sudo service rsyslog restart -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |