From: <to...@di...> - 2011-06-26 18:14:48
|
Hello Yaroslav, > > But this succeeds ONLY with the manipulated filters > > sshd(?:\[\d+\])?: (?:error ... > > well, I guess you do not have > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them from > # common.local > before = common.conf > > in yours filter definition file to get advantage of those definitions > given in the common.conf not correct, I have the same behaviour of both version of the failregex with or without the INCLUDES and DEFINITION in mysshd.conf. Thus, it seems, the INCLUDES are not of effect (may be there's sort of a incompatibility of the updated version of common.conf no longer matching the loglines ?) > altogether -- hard to say for sure what exactly is happening. boost up > logging: > > $> cat /etc/fail2ban/fail2ban.local > [Definition] > loglevel = 4 > changes on filesystem: > > and wait/simulate for the attack to see what is logged -- then report ;) Ok, I'll set the retry parameters to 1 to give fail2ban a chance to react (this will be needed now as my new perl skript now already bans after 1 wrong move - it hasn't learned to count so far). I'll report as soon as I found anything. regards Tom |