[ILUG] Fedora8 fail2ban regex? Need help
Frank Murphy
frankly3d at gmail.com
Tue Oct 28 08:31:04 GMT 2008
How do I create regex for fail2ban.
Nothing goes to jail
Had a google and a look at:
http://linux.die.net/man/1/fail2ban-regex
http://www.fail2ban.org/wiki/index.php/Talk:MANUAL_0_8
but can't figure it out.
Here's what I have in jail.conf
[ssh-iptables]
<snip>
timeregex = S{3}s{1,2}d{1,2} d{2}:d{2}:d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = pam_unix(sshd:auth): authentication failure
</snip>
A paste of some login attempts:
http://fpaste.org/paste/8177
the only other jail enabled is ssh-tcpwrappers
A factor could be down to the various *logs being out of sync,
"So, check that all your logs are synchronized"
http://www.fail2ban.org/wiki/index.php/FAQ_english#Fail2ban_is_running_but_not_banning_SSH_bruteforce
But have no idea how to check log timestamps with logger.
http://unixhelp.ed.ac.uk/CGI/man-cgi?logger+1
Frank
More information about the ILUG
mailing list