From: René B. <rb...@ca...> - 2009-07-10 15:50:55
|
Taras Shkodenko wrote: > I have installed and started fail2ban-0.8.3 at my Red Hat Enterprise > Linux Server release 5.3 (Tikanga) box. > > I have changed on /etc/fail2ban/jail.conf settings for > maxretry = 10 Not relevant but your changes should go into local.conf so they are not clobbered when fail2ban is updated. > and > > [ssh-iptables] > enabled = true > filter = sshd > action = iptables[name=SSH, port=ssh, protocol=tcp] > sendmail-whois[name=SSH, dest=som...@so..., > sender=fai...@ma...] ---^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^ Future error cause. > logpath = /var/log/audit/audit.log > maxretry = 10 > > My SSHD stores error messages of failed login attempts in following format: > > type=USER_LOGIN msg=audit(1247150024.468:279): user pid=24791 uid=0 > auid=4294967295 msg='acct="root": exe="/usr/sbin/sshd" (hostname=?, > addr=WWW.XXX.YYY.ZZZ, terminal=sshd res=failed)' [snip] The log has no time information? That would prevent fail2ban from working... are you sure this is the only log? Don't know about RedHat but there must be a real log somewhere and I would start with syslog's configuration. Since the log format is not useful I don't see any sense on looking at the regex. -- René Berber |