I hv these in auth.log:
May 17 20:51:30 chankc sshd[32024]: User root from dsl-043.cascadeaccess.com not allowed because not listed in AllowUsers
May 17 20:51:30 chankc sshd[32024]: error: Could not get shadow information for NOUSER
May 17 20:51:30 chankc sshd[32024]: Failed password for invalid user root from 64.233.105.43 port 3494 ssh2
May 17 20:51:32 chankc sshd[32028]: User root from dsl-043.cascadeaccess.com not allowed because not listed in AllowUsers
May 17 20:51:32 chankc sshd[32028]: error: Could not get shadow information for NOUSER
May 17 20:51:32 chankc sshd[32028]: Failed password for invalid user root from 64.233.105.43 port 3519 ssh2
May 17 20:51:35 chankc sshd[32032]: User root from dsl-043.cascadeaccess.com not allowed because not listed in AllowUsers
May 17 20:51:35 chankc sshd[32032]: error: Could not get shadow information for NOUSER
May 17 20:51:35 chankc sshd[32032]: Failed password for invalid user root from 64.233.105.43 port 3550 ssh2
May 17 20:51:37 chankc sshd[32036]: User root from dsl-043.cascadeaccess.com not allowed because not listed in AllowUsers
May 17 20:51:37 chankc sshd[32036]: error: Could not get shadow information for NOUSER
May 17 20:51:37 chankc sshd[32036]: Failed password for invalid user root from 64.233.105.43 port 3581 ssh2
I want to use fail2ban to block them.
I install the fail2ban. at first, there are error in the fail2ban.log:
2006-05-18 09:26:11,234 ERROR: time data did not match format: data=May 16 09:51:11 fmt=%b %d %H:%M:%S
2006-05-18 09:26:11,234 ERROR: Please check the format and your locale settings.
2006-05-18 09:26:11,234 ERROR: time data did not match format: data=May 16 09:51:11 fmt=%b %d %H:%M:%S
2006-05-18 09:26:11,234 ERROR: Please check the format and your locale settings.
2006-05-18 09:26:11,235 ERROR: time data did not match format: data=May 16 09:51:16 fmt=%b %d %H:%M:%S
2006-05-18 09:26:11,235 ERROR: Please check the format and your locale settings
Then I modify the sshd part of fail2ban.conf to:
[SSH]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/auth.log
#
logfile = /var/log/auth.log
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = 22
# Option: timeregex
# Notes.: regex to match timestamp in SSH logfile. For TAI64N format,
# use timeregex = @[0-9a-f]{24}
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2} \d{1,2}\s{1,2} \d{2}:\d{2}:\d{2}
# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
# For TAI64N format, use timepattern = tai64n
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: (?:Authentication failure|Failed (?:keyboard-
interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P<host>\S*)
#
failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid)
user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?
P<host>\S*)
Then the fail2ban.log hv no more error and show this:
2006-05-16 11:28:30,036 DEBUG: Setting file position to 131487L for /var/log/auth.log
2006-05-16 11:29:17,529 DEBUG: /var/log/auth.log has been modified
2006-05-16 11:29:17,529 DEBUG: /var/log/auth.log
2006-05-16 11:29:17,530 DEBUG: Setting file position to 131578L for /var/log/auth.log
2006-05-16 11:29:28,529 DEBUG: /var/log/auth.log has been modified
2006-05-16 11:29:28,530 DEBUG: /var/log/auth.log
2006-05-16 11:29:28,530 DEBUG: Setting file position to 131848L for /var/log/auth.log
However even I find that there are many many "Failed password" record in the auth.log, fail2ban never ban any ip.
How can I make fail2ban do the job?
Please help me! Thanks!
