[Fail2ban-users] jail or filter configuration for SSHD on alternate port with alternate chkconfig n

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,
Please forgive me if this is in the mailing list archives. I did not see a search function for the archives, and "fail2ban" "ssh" "port" as a Google search is not very selective :-(   (Maybe I need more coffee this morning!)

I noticed last night that fail2ban did not respond to a large number of failed login attempts to an SSH daemon on an alternate port (2222) on one of my hosts. (Fail2ban does work fine for my regular sshd as well as vsftpd on this and several other hosts, so overall it's working great -- thanks!!)

I don't see where in the fail2ban documentation it says how, or if, the daemon name in the log entries (e.g. "sshd" vs. "sshd-port2222" as I call my second SSH daemon instance) is configured or must be matched.

Do I need to edit something in the sshd filter or in some common configuration file to get fail2ban to associate log entries containing "sshd-port2222" with the "sshd" filter?

Is the match between the daemon name in the log entries and the name of the filters magic such that if I simply create a new jail & filter pair called "sshd-port2222" they will start matching?

Thanks!
-Jay

Below are some sample /var/log/secure entries, for both the standard port 22 sshd instance and this other port 2222 instance.

Dec 20 10:50:30 h1943185 sshd-port2222[26049]: User root from 200.241.41.4 not allowed because not listed in AllowUsers
Dec 20 10:50:30 h1943185 sshd-port2222[26050]: input_userauth_request: invalid user root
Dec 20 10:50:30 h1943185 sshd-port2222[26049]: error: Could not get shadow information for NOUSER
Dec 20 10:50:30 h1943185 sshd-port2222[26049]: Failed password for invalid user root from 200.241.41.4 port 34404 ssh2
Dec 20 10:50:30 h1943185 sshd-port2222[26050]: Received disconnect from 200.241.41.4: 11: Bye Bye
Dec 20 10:54:16 h1943185 sshd-port2222[26090]: User root from 200.241.41.4 not allowed because not listed in AllowUsers
Dec 20 10:54:16 h1943185 sshd-port2222[26091]: input_userauth_request: invalid user root
Dec 20 10:54:16 h1943185 sshd-port2222[26090]: error: Could not get shadow information for NOUSER
Dec 20 10:54:16 h1943185 sshd-port2222[26090]: Failed password for invalid user root from 200.241.41.4 port 50307 ssh2
Dec 20 10:54:16 h1943185 sshd-port2222[26091]: Received disconnect from 200.241.41.4: 11: Bye Bye
Dec 20 10:58:00 h1943185 sshd-port2222[26116]: User root from 200.241.41.4 not allowed because not listed in AllowUsers
Dec 20 10:58:00 h1943185 sshd-port2222[26117]: input_userauth_request: invalid user root
Dec 20 10:58:00 h1943185 sshd-port2222[26116]: error: Could not get shadow information for NOUSER
Dec 20 10:58:00 h1943185 sshd-port2222[26116]: Failed password for invalid user root from 200.241.41.4 port 49786 ssh2
Dec 20 10:58:01 h1943185 sshd-port2222[26117]: Received disconnect from 200.241.41.4: 11: Bye Bye
...
(there were 27 of these, over a 90 minute period)

Dec  4 17:02:07 h1943185 sshd[27889]: Invalid user teamspeak from 85.214.93.54
Dec  4 17:02:07 h1943185 sshd[27890]: input_userauth_request: invalid user teamspeak
Dec  4 17:02:07 h1943185 sshd[27889]: pam_unix(sshd:auth): check pass; user unknown
Dec  4 17:02:07 h1943185 sshd[27889]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h1143598.serverkompetenz.net
Dec  4 17:02:07 h1943185 sshd[27889]: pam_succeed_if(sshd:auth): error retrieving information about user teamspeak
Dec  4 17:02:09 h1943185 sshd[27889]: Failed password for invalid user teamspeak from 85.214.93.54 port 55595 ssh2
Dec  4 17:02:09 h1943185 sshd[27890]: Received disconnect from 85.214.93.54: 11: Bye Bye
Dec  4 17:02:09 h1943185 sshd[27891]: Invalid user teamspeak3 from 85.214.93.54
Dec  4 17:02:09 h1943185 sshd[27892]: input_userauth_request: invalid user teamspeak3
Dec  4 17:02:09 h1943185 sshd[27891]: pam_unix(sshd:auth): check pass; user unknown
Dec  4 17:02:09 h1943185 sshd[27891]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h1143598.serverkompetenz.net
Dec  4 17:02:09 h1943185 sshd[27891]: pam_succeed_if(sshd:auth): error retrieving information about user teamspeak3
Dec  4 17:02:11 h1943185 sshd[27891]: Failed password for invalid user teamspeak3 from 85.214.93.54 port 55837 ssh2
Dec  4 17:02:11 h1943185 sshd[27892]: Received disconnect from 85.214.93.54: 11: Bye Bye
Dec  4 17:02:11 h1943185 sshd[27893]: Invalid user teamspeak from 85.214.93.54
Dec  4 17:02:11 h1943185 sshd[27894]: input_userauth_request: invalid user teamspeak
Dec  4 17:02:11 h1943185 sshd[27893]: pam_unix(sshd:auth): check pass; user unknown
Dec  4 17:02:11 h1943185 sshd[27893]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h1143598.serverkompetenz.net
Dec  4 17:02:11 h1943185 sshd[27893]: pam_succeed_if(sshd:auth): error retrieving information about user teamspeak
Dec  4 17:02:13 h1943185 sshd[27893]: Failed password for invalid user teamspeak from 85.214.93.54 port 56016 ssh2
Dec  4 17:02:13 h1943185 sshd[27894]: Received disconnect from 85.214.93.54: 11: Bye Bye
Dec  4 17:02:13 h1943185 sshd[27909]: refused connect from ::ffff:85.214.93.54 (::ffff:85.214.93.54)

[Fail2ban-users] jail or filter configuration for SSHD on alternate port with alternate chkconfig n

[Fail2ban-users] jail or filter configuration for SSHD on alternate port with alternate chkconfig name e.g. "sshd-port2222" instead of "sshd" ?