David Jones

Asked: 2015-09-29 12:33:57 +0800 CST2015-09-29 12:33:57 +0800 CST 2015-09-29 12:33:57 +0800 CST

Fail2Ban regex in sshd.conf not catching failed root logins in /var/log/auth.log

I used Fail2Ban on my Ubuntu server (14.04 LTS), and it mostly works well.

I recently noticed the default regex in /etc/fail2ban/filter.d/sshd.conf does not match some failed sshd login attempts.

Here is a typical line from /var/log/auth.log

Sep 28 12:03:01 dv1 sshd[30636]: Failed password for root from 14.160.56.206 port 51248 ssh2

When I try fail2ban-regex, to confirms this line is not matched:

fail2ban-regex \
'Sep 28 12:03:01 dv1 sshd[30636]: Failed password for root from 14.160.56.206 port 51248 ssh2' \
'^%(__prefix_line)sFailed \S+ for .*? from (?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$'

Can anyone help diagnose why this regex is failing to match? What would be a good fix?

Since this is hasn't been changes following "apt-get install fail2ban", I wonder if this regex has a bug.

Any help appreciated.

Fail2Ban regex in sshd.conf not catching failed root logins in /var/log/auth.log

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

Fail2Ban regex in sshd.conf not catching failed root logins in /var/log/auth.log

0 Answers