From: Jay L. <li...@fe...> - 2011-12-21 08:18:51
|
Hi, Please forgive me if this is in the mailing list archives. I did not see a search function for the archives, and "fail2ban" "ssh" "port" as a Google search is not very selective :-( (Maybe I need more coffee this morning!) I noticed last night that fail2ban did not respond to a large number of failed login attempts to an SSH daemon on an alternate port (2222) on one of my hosts. (Fail2ban does work fine for my regular sshd as well as vsftpd on this and several other hosts, so overall it's working great -- thanks!!) I don't see where in the fail2ban documentation it says how, or if, the daemon name in the log entries (e.g. "sshd" vs. "sshd-port2222" as I call my second SSH daemon instance) is configured or must be matched. Do I need to edit something in the sshd filter or in some common configuration file to get fail2ban to associate log entries containing "sshd-port2222" with the "sshd" filter? Is the match between the daemon name in the log entries and the name of the filters magic such that if I simply create a new jail & filter pair called "sshd-port2222" they will start matching? Thanks! -Jay Below are some sample /var/log/secure entries, for both the standard port 22 sshd instance and this other port 2222 instance. Dec 20 10:50:30 h1943185 sshd-port2222[26049]: User root from 200.241.41.4 not allowed because not listed in AllowUsers Dec 20 10:50:30 h1943185 sshd-port2222[26050]: input_userauth_request: invalid user root Dec 20 10:50:30 h1943185 sshd-port2222[26049]: error: Could not get shadow information for NOUSER Dec 20 10:50:30 h1943185 sshd-port2222[26049]: Failed password for invalid user root from 200.241.41.4 port 34404 ssh2 Dec 20 10:50:30 h1943185 sshd-port2222[26050]: Received disconnect from 200.241.41.4: 11: Bye Bye Dec 20 10:54:16 h1943185 sshd-port2222[26090]: User root from 200.241.41.4 not allowed because not listed in AllowUsers Dec 20 10:54:16 h1943185 sshd-port2222[26091]: input_userauth_request: invalid user root Dec 20 10:54:16 h1943185 sshd-port2222[26090]: error: Could not get shadow information for NOUSER Dec 20 10:54:16 h1943185 sshd-port2222[26090]: Failed password for invalid user root from 200.241.41.4 port 50307 ssh2 Dec 20 10:54:16 h1943185 sshd-port2222[26091]: Received disconnect from 200.241.41.4: 11: Bye Bye Dec 20 10:58:00 h1943185 sshd-port2222[26116]: User root from 200.241.41.4 not allowed because not listed in AllowUsers Dec 20 10:58:00 h1943185 sshd-port2222[26117]: input_userauth_request: invalid user root Dec 20 10:58:00 h1943185 sshd-port2222[26116]: error: Could not get shadow information for NOUSER Dec 20 10:58:00 h1943185 sshd-port2222[26116]: Failed password for invalid user root from 200.241.41.4 port 49786 ssh2 Dec 20 10:58:01 h1943185 sshd-port2222[26117]: Received disconnect from 200.241.41.4: 11: Bye Bye ... (there were 27 of these, over a 90 minute period) Dec 4 17:02:07 h1943185 sshd[27889]: Invalid user teamspeak from 85.214.93.54 Dec 4 17:02:07 h1943185 sshd[27890]: input_userauth_request: invalid user teamspeak Dec 4 17:02:07 h1943185 sshd[27889]: pam_unix(sshd:auth): check pass; user unknown Dec 4 17:02:07 h1943185 sshd[27889]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h1143598.serverkompetenz.net Dec 4 17:02:07 h1943185 sshd[27889]: pam_succeed_if(sshd:auth): error retrieving information about user teamspeak Dec 4 17:02:09 h1943185 sshd[27889]: Failed password for invalid user teamspeak from 85.214.93.54 port 55595 ssh2 Dec 4 17:02:09 h1943185 sshd[27890]: Received disconnect from 85.214.93.54: 11: Bye Bye Dec 4 17:02:09 h1943185 sshd[27891]: Invalid user teamspeak3 from 85.214.93.54 Dec 4 17:02:09 h1943185 sshd[27892]: input_userauth_request: invalid user teamspeak3 Dec 4 17:02:09 h1943185 sshd[27891]: pam_unix(sshd:auth): check pass; user unknown Dec 4 17:02:09 h1943185 sshd[27891]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h1143598.serverkompetenz.net Dec 4 17:02:09 h1943185 sshd[27891]: pam_succeed_if(sshd:auth): error retrieving information about user teamspeak3 Dec 4 17:02:11 h1943185 sshd[27891]: Failed password for invalid user teamspeak3 from 85.214.93.54 port 55837 ssh2 Dec 4 17:02:11 h1943185 sshd[27892]: Received disconnect from 85.214.93.54: 11: Bye Bye Dec 4 17:02:11 h1943185 sshd[27893]: Invalid user teamspeak from 85.214.93.54 Dec 4 17:02:11 h1943185 sshd[27894]: input_userauth_request: invalid user teamspeak Dec 4 17:02:11 h1943185 sshd[27893]: pam_unix(sshd:auth): check pass; user unknown Dec 4 17:02:11 h1943185 sshd[27893]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h1143598.serverkompetenz.net Dec 4 17:02:11 h1943185 sshd[27893]: pam_succeed_if(sshd:auth): error retrieving information about user teamspeak Dec 4 17:02:13 h1943185 sshd[27893]: Failed password for invalid user teamspeak from 85.214.93.54 port 56016 ssh2 Dec 4 17:02:13 h1943185 sshd[27894]: Received disconnect from 85.214.93.54: 11: Bye Bye Dec 4 17:02:13 h1943185 sshd[27909]: refused connect from ::ffff:85.214.93.54 (::ffff:85.214.93.54) |