Re: [Fail2ban-users] How to configure fail2ban at Red Hat Enterprise Linux Server release 5.3 (Tikanga)

[René B. <rb...@ca...>]

Taras Shkodenko wrote:

> I have installed and started fail2ban-0.8.3 at my Red Hat Enterprise
> Linux Server release 5.3 (Tikanga) box.
> 
> I have changed on /etc/fail2ban/jail.conf settings for
> maxretry = 10

Not relevant but your changes should go into local.conf so they are not
clobbered when fail2ban is updated.

> and
> 
> [ssh-iptables]
> enabled  = true
> filter   = sshd
> action   = iptables[name=SSH, port=ssh, protocol=tcp]
>            sendmail-whois[name=SSH, dest=som...@so...,
> sender=fai...@ma...]
---^^^^^^^^^^^^^^^^^^^^^^^                   ^^^^^^^^^^^^^^^^^^^^^
Future error cause.

> logpath  = /var/log/audit/audit.log
> maxretry = 10
> 
> My SSHD stores error messages of failed login attempts in following format:
> 
> type=USER_LOGIN msg=audit(1247150024.468:279): user pid=24791 uid=0
> auid=4294967295 msg='acct="root": exe="/usr/sbin/sshd" (hostname=?,
> addr=WWW.XXX.YYY.ZZZ, terminal=sshd res=failed)'
[snip]

The log has no time information?  That would prevent fail2ban from
working... are you sure this is the only log?  Don't know about RedHat
but there must be a real log somewhere and I would start with syslog's
configuration.

Since the log format is not useful I don't see any sense on looking at
the regex.
-- 
René Berber