fail2ban does not work with Traefik 2.0 logs #2558

DeKubus · 2019-10-27T20:26:39Z

Fail2Ban version (including any possible distribution suffixes): v0.10.2
OS, including release name/version: Ubuntu 19.10
Fail2Ban installed via OS/distribution mechanisms
You have not applied any additional foreign patches to the codebase
Some customizations were done to the configuration (provide details below is so)

The issue:

fail2ban does not act on new entries in the log file. I do not even get log info which might lead me in the right direction.

Steps to reproduce

Create fail2ban config for Traefik:
jail

[traefik_404]
enabled = true
port = http,https
filter = traefik_404
logpath = /home/USER/.app_configurations/traefik/logs/access.log
maxretry = 10
findtime = 300

filter

[Definition]
failregex = ^(.*)("ClientHost":"<HOST>")(.*)("DownstreamStatus":404,)(.*)(GET|POST|HEAD)
ignoreregex =

See below for a sample entry in the log file. fail2ban-regex actually matches the failregex correctly

Expected behavior

fail2ban creates rules or at least writes something to the log file.

Observed behavior

Nothing happens.

Any additional information

What I tried:

Using the polling backend
Enabling HEAVYDEBUG

Configuration, dump and another helpful excerpts

fail2ban-regex output (shortened):

fail2ban-regex .app_configurations/traefik/logs/access.log /etc/fail2ban/filter.d/traefik_404.conf -v

Running tests
=============

Use   failregex filter file : traefik_404, basedir: /etc/fail2ban
Use         log file : .app_configurations/traefik/logs/access.log
Use         encoding : UTF-8


Results
=======

Failregex: 293 total
|-  #) [# of hits] regular expression
|   1) [293] ^(.*)("ClientHost":"<HOST>")(.*)("DownstreamStatus":404,)(.*)(GET|POST|HEAD)
|      159.203.201.224  Sun Oct 27 00:37:04 2019

fail2ban-client -d | grep traefik_404
['add', 'traefik_404', 'auto']
['set', 'traefik_404', 'addfailregex', '^(.*)("ClientHost":"<HOST>")(.*)("DownstreamStatus":404,)(.*)(GET|POST|HEAD)']
['set', 'traefik_404', 'addlogpath', '/home/USER/.app_configurations/traefik/logs/access.log', 'head']
['set', 'traefik_404', 'logencoding', 'auto']
['set', 'traefik_404', 'maxretry', 10]
['set', 'traefik_404', 'findtime', '300']
['set', 'traefik_404', 'bantime', '10m']
['set', 'traefik_404', 'usedns', 'warn']
['set', 'traefik_404', 'ignorecommand', '']
['set', 'traefik_404', 'addaction', 'iptables-multiport']
['multi-set', 'traefik_404', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-traefik_404\n<iptables> -A f2b-traefik_404 -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports http,https -j f2b-traefik_404'], ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports http,https -j f2b-traefik_404\n<iptables> -F f2b-traefik_404\n<iptables> -X f2b-traefik_404'], ['actionflush', '<iptables> -F f2b-traefik_404'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-traefik_404[ \\t]'"], ['actionban', '<iptables> -I f2b-traefik_404 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-traefik_404 -s <ip> -j <blocktype>'], ['name', 'traefik_404'], ['bantime', '10m'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['start', 'traefik_404']

Any customizations done to /etc/fail2ban/ configuration

Custom filter / jail.

Relevant parts of /var/log/fail2ban.log file:

2019-10-27 21:08:12,751 fail2ban.filterpyinotify[29989]: DEBUG   Event queue size: 16
2019-10-27 21:08:12,752 fail2ban.filterpyinotify[29989]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2019-10-27 21:08:12,752 fail2ban.filterpyinotify[29989]: TRACE   [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2019-10-27 21:08:12,753 fail2ban.filter         [29989]: TRACE   Working on line 'Oct 27 21:08:12 skynet sudo:    USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/fail2ban-client set loglevel HEAVYDEBUG\n'
2019-10-27 21:08:12,753 fail2ban.datedetector   [29989]: HEAVY   try to match time for line: Oct 27 21:08:12 skynet sudo:    USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/fail2ban-client set l
2019-10-27 21:08:12,753 fail2ban.datedetector   [29989]: HEAVY     try to match last anchored template #00 ...
2019-10-27 21:08:12,753 fail2ban.datedetector   [29989]: Level 6   matched last time template #00
2019-10-27 21:08:12,753 fail2ban.datedetector   [29989]: Level 6   got time 1572206892.000000 for 'Oct 27 21:08:12' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2019-10-27 21:08:12,754 fail2ban.filter         [29989]: HEAVY   Looking for match of [('', 'Oct 27 21:08:12', ' skynet sudo:    USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/fail2ban-client set loglevel HEAVYDEBUG')]
2019-10-27 21:08:12,754 fail2ban.filter         [29989]: HEAVY     Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2019-10-27 21:08:12,754 fail2ban.filter         [29989]: TRACE     Pre-filter matched {'mlfid': ' skynet ', 'content': 'sudo:    USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/fail2ban-client set loglevel HEAVYDEBUG'}
2019-10-27 21:08:12,754 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,755 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,755 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,755 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,755 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,755 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2019-10-27 21:08:12,755 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,755 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter         [29989]: HEAVY     Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2019-10-27 21:08:12,756 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,757 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,757 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2019-10-27 21:08:12,757 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,757 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2019-10-27 21:08:12,757 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2019-10-27 21:08:12,757 fail2ban.filter         [29989]: TRACE   Working on line 'Oct 27 21:08:12 skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)\n'
2019-10-27 21:08:12,757 fail2ban.datedetector   [29989]: HEAVY   try to match time for line: Oct 27 21:08:12 skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)
2019-10-27 21:08:12,758 fail2ban.datedetector   [29989]: HEAVY     try to match last anchored template #00 ...
2019-10-27 21:08:12,758 fail2ban.datedetector   [29989]: Level 6   matched last time template #00
2019-10-27 21:08:12,758 fail2ban.datedetector   [29989]: Level 6   got time 1572206892.000000 for 'Oct 27 21:08:12' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2019-10-27 21:08:12,758 fail2ban.filter         [29989]: HEAVY   Looking for match of [('', 'Oct 27 21:08:12', ' skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)')]
2019-10-27 21:08:12,758 fail2ban.filter         [29989]: HEAVY     Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2019-10-27 21:08:12,758 fail2ban.filter         [29989]: TRACE     Pre-filter matched {'mlfid': ' skynet ', 'content': 'sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)'}
2019-10-27 21:08:12,759 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,759 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,759 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,759 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,759 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,759 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2019-10-27 21:08:12,759 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,759 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter         [29989]: HEAVY     Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2019-10-27 21:08:12,760 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,761 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,761 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,761 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2019-10-27 21:08:12,761 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,761 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2019-10-27 21:08:12,761 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2019-10-27 21:08:12,761 fail2ban.filter         [29989]: TRACE   Working on line 'Oct 27 21:08:12 skynet sudo: pam_unix(sudo:session): session closed for user root\n'
2019-10-27 21:08:12,762 fail2ban.datedetector   [29989]: HEAVY   try to match time for line: Oct 27 21:08:12 skynet sudo: pam_unix(sudo:session): session closed for user root
2019-10-27 21:08:12,762 fail2ban.datedetector   [29989]: HEAVY     try to match last anchored template #00 ...
2019-10-27 21:08:12,762 fail2ban.datedetector   [29989]: Level 6   matched last time template #00
2019-10-27 21:08:12,762 fail2ban.datedetector   [29989]: Level 6   got time 1572206892.000000 for 'Oct 27 21:08:12' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2019-10-27 21:08:12,762 fail2ban.filter         [29989]: HEAVY   Looking for match of [('', 'Oct 27 21:08:12', ' skynet sudo: pam_unix(sudo:session): session closed for user root')]
2019-10-27 21:08:12,762 fail2ban.filter         [29989]: HEAVY     Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2019-10-27 21:08:12,763 fail2ban.filter         [29989]: TRACE     Pre-filter matched {'mlfid': ' skynet ', 'content': 'sudo: pam_unix(sudo:session): session closed for user root'}
2019-10-27 21:08:12,763 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,763 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,763 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,763 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,763 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,763 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2019-10-27 21:08:12,763 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter         [29989]: HEAVY     Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2019-10-27 21:08:12,764 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,765 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,765 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,765 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,765 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2019-10-27 21:08:12,765 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,765 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2019-10-27 21:08:12,765 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2019-10-27 21:08:16,145 fail2ban.filterpyinotify[29989]: DEBUG   Event queue size: 16
2019-10-27 21:08:16,145 fail2ban.filterpyinotify[29989]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2019-10-27 21:08:16,145 fail2ban.filterpyinotify[29989]: TRACE   [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: TRACE   Working on line 'Oct 27 21:08:16 skynet sudo:    USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/sbin/service fail2ban restart\n'
2019-10-27 21:08:16,145 fail2ban.datedetector   [29989]: HEAVY   try to match time for line: Oct 27 21:08:16 skynet sudo:    USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/sbin/service fail2ban res
2019-10-27 21:08:16,145 fail2ban.datedetector   [29989]: HEAVY     try to match last anchored template #00 ...
2019-10-27 21:08:16,145 fail2ban.datedetector   [29989]: Level 6   matched last time template #00
2019-10-27 21:08:16,145 fail2ban.datedetector   [29989]: Level 6   got time 1572206896.000000 for 'Oct 27 21:08:16' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY   Looking for match of [('', 'Oct 27 21:08:16', ' skynet sudo:    USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/sbin/service fail2ban restart')]
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: TRACE     Pre-filter matched {'mlfid': ' skynet ', 'content': 'sudo:    USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/sbin/service fail2ban restart'}
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: TRACE   Working on line 'Oct 27 21:08:16 skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)\n'
2019-10-27 21:08:16,146 fail2ban.datedetector   [29989]: HEAVY   try to match time for line: Oct 27 21:08:16 skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)
2019-10-27 21:08:16,146 fail2ban.datedetector   [29989]: HEAVY     try to match last anchored template #00 ...
2019-10-27 21:08:16,146 fail2ban.datedetector   [29989]: Level 6   matched last time template #00
2019-10-27 21:08:16,146 fail2ban.datedetector   [29989]: Level 6   got time 1572206896.000000 for 'Oct 27 21:08:16' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY   Looking for match of [('', 'Oct 27 21:08:16', ' skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)')]
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: TRACE     Pre-filter matched {'mlfid': ' skynet ', 'content': 'sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)'}
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2019-10-27 21:08:16,147 fail2ban.filter         [29989]: HEAVY     Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2019-10-27 21:08:16,147 fail2ban.filterpyinotify[29989]: DEBUG   Event queue size: 16
2019-10-27 21:08:16,147 fail2ban.filterpyinotify[29989]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2019-10-27 21:08:16,147 fail2ban.filterpyinotify[29989]: TRACE   [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2019-10-27 21:08:16,189 fail2ban.transmitter    [29989]: HEAVY   Command: ['stop']
2019-10-27 21:08:16,189 fail2ban.server         [29989]: INFO    Shutdown in progress...
2019-10-27 21:08:16,189 fail2ban.asyncserver    [29989]: DEBUG   Stop communication
2019-10-27 21:08:16,189 fail2ban.server         [29989]: INFO    Stopping all jails
2019-10-27 21:08:16,189 fail2ban.jail           [29989]: DEBUG   Stopping jail 'sshd'
2019-10-27 21:08:16,189 fail2ban.filter         [29989]: INFO    Removed logfile: '/var/log/auth.log'
2019-10-27 21:08:16,189 fail2ban.filterpyinotify[29989]: DEBUG   Watch WD=2 (None) removed
2019-10-27 21:08:16,189 fail2ban.filterpyinotify[29989]: DEBUG   Removed file watcher for /var/log/auth.log
2019-10-27 21:08:16,189 fail2ban.filterpyinotify[29989]: DEBUG   Event queue size: 32
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG   <_RawEvent cookie=0 mask=0x8000 name='' wd=2 >
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG   <_RawEvent cookie=0 mask=0x8000 name='' wd=1 >
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: TRACE   [sshd] Default Callback for Event: <Event dir=False mask=0x8000 maskname=IN_IGNORED name='' path=/var/log pathname=/var/log wd=1 >
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG   Ignoring event (IN_IGNORED) of /var/log we do not monitor
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG   Watch WD=1 (None) removed
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG   Removed monitor for the parent directory /var/log
2019-10-27 21:08:16,190 fail2ban.jail           [29989]: DEBUG   Stopping jail 'traefik_404'
2019-10-27 21:08:16,190 fail2ban.filter         [29989]: INFO    Removed logfile: '/home/USER/.app_configurations/traefik/logs/access.log'
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG   Watch WD=2 (None) removed
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG   Removed file watcher for /home/USER/.app_configurations/traefik/logs/access.log
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG   Watch WD=1 (None) removed
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG   Removed monitor for the parent directory /home/USER/.app_configurations/traefik/logs
2019-10-27 21:08:16,371 fail2ban.filterpyinotify[29989]: DEBUG   [traefik_404] filter exited (pyinotifier)
2019-10-27 21:08:16,456 fail2ban.actions        [29989]: DEBUG     Flush ban list
2019-10-27 21:08:16,456 fail2ban.actions        [29989]: NOTICE  [traefik_404] Flush ticket(s) with iptables-multiport
2019-10-27 21:08:16,456 fail2ban.actions        [29989]: DEBUG     Unbanned 0, 0 ticket(s) in 'traefik_404'
2019-10-27 21:08:16,457 fail2ban.actions        [29989]: DEBUG   traefik_404: action iptables-multiport terminated
2019-10-27 21:08:16,457 fail2ban.actions        [29989]: DEBUG     Flush ban list
2019-10-27 21:08:16,457 fail2ban.actions        [29989]: NOTICE  [sshd] Flush ticket(s) with iptables-multiport
2019-10-27 21:08:16,457 fail2ban.actions        [29989]: DEBUG     Unbanned 0, 0 ticket(s) in 'sshd'
2019-10-27 21:08:16,457 fail2ban.actions        [29989]: DEBUG   sshd: action iptables-multiport terminated
2019-10-27 21:08:16,891 fail2ban.filterpyinotify[29989]: DEBUG   [sshd] filter exited (pyinotifier)
2019-10-27 21:08:17,392 fail2ban.filterpyinotify[29989]: DEBUG   [sshd] filter terminated (pyinotifier)
2019-10-27 21:08:17,392 fail2ban.jail           [29989]: INFO    Jail 'sshd' stopped
2019-10-27 21:08:17,392 fail2ban.filterpyinotify[29989]: DEBUG   [traefik_404] filter terminated (pyinotifier)
2019-10-27 21:08:17,392 fail2ban.jail           [29989]: INFO    Jail 'traefik_404' stopped
2019-10-27 21:08:17,392 fail2ban.database       [29989]: DEBUG   Close connection to database ...
2019-10-27 21:08:17,392 fail2ban.database       [29989]: INFO    Connection to database closed.
2019-10-27 21:08:17,392 fail2ban.asyncserver    [29989]: DEBUG   Removed socket file /var/run/fail2ban/fail2ban.sock
2019-10-27 21:08:17,392 fail2ban.asyncserver    [29989]: DEBUG   Socket shutdown
2019-10-27 21:08:17,392 fail2ban.server         [29989]: INFO    Exiting Fail2ban
2019-10-27 21:08:17,392 fail2ban.server         [29989]: DEBUG   Remove PID file /var/run/fail2ban/fail2ban.pid
2019-10-27 21:08:17,392 fail2ban                [29989]: HEAVY     server phase {'start': True, 'ready': True, 'start-ready': True, 'configure': True, 'done': True}
2019-10-27 21:08:17,392 fail2ban                [29989]: DEBUG   Exit with code 0
2019-10-27 21:08:17,457 fail2ban.server         [30939]: INFO    --------------------------------------------------
2019-10-27 21:08:17,457 fail2ban.server         [30939]: INFO    Starting Fail2ban v0.10.2
2019-10-27 21:08:17,460 fail2ban.database       [30939]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-10-27 21:08:17,461 fail2ban.jail           [30939]: INFO    Creating new jail 'sshd'
2019-10-27 21:08:17,467 fail2ban.jail           [30939]: INFO    Jail 'sshd' uses pyinotify {}
2019-10-27 21:08:17,469 fail2ban.jail           [30939]: INFO    Initiated 'pyinotify' backend
2019-10-27 21:08:17,470 fail2ban.filter         [30939]: INFO      maxLines: 1
2019-10-27 21:08:17,482 fail2ban.server         [30939]: INFO    Jail sshd is not a JournalFilter instance
2019-10-27 21:08:17,482 fail2ban.filter         [30939]: INFO    Added logfile: '/var/log/auth.log' (pos = 75405, hash = c4fdfe245ac9d4f58509b3e536ab3e7282032b1e)
2019-10-27 21:08:17,484 fail2ban.filter         [30939]: INFO      encoding: UTF-8
2019-10-27 21:08:17,484 fail2ban.filter         [30939]: INFO      maxRetry: 5
2019-10-27 21:08:17,484 fail2ban.filter         [30939]: INFO      findtime: 600
2019-10-27 21:08:17,484 fail2ban.actions        [30939]: INFO      banTime: 600
2019-10-27 21:08:17,485 fail2ban.jail           [30939]: INFO    Creating new jail 'traefik_404'
2019-10-27 21:08:17,485 fail2ban.jail           [30939]: INFO    Jail 'traefik_404' uses pyinotify {}
2019-10-27 21:08:17,487 fail2ban.jail           [30939]: INFO    Initiated 'pyinotify' backend
2019-10-27 21:08:17,488 fail2ban.filter         [30939]: INFO    Added logfile: '/home/USER/.app_configurations/traefik/logs/access.log' (pos = 249850, hash = e2f58cb5205fecbf34f94bfb6705287ce410f935)
2019-10-27 21:08:17,488 fail2ban.filter         [30939]: INFO      encoding: UTF-8
2019-10-27 21:08:17,489 fail2ban.filter         [30939]: INFO      maxRetry: 10
2019-10-27 21:08:17,489 fail2ban.filter         [30939]: INFO      findtime: 300
2019-10-27 21:08:17,489 fail2ban.actions        [30939]: INFO      banTime: 600
2019-10-27 21:08:17,490 fail2ban.jail           [30939]: INFO    Jail 'sshd' started
2019-10-27 21:08:17,490 fail2ban.jail           [30939]: INFO    Jail 'traefik_404' started

Relevant lines from monitored log files in question:

{"ClientAddr":"159.203.201.224:44370","ClientHost":"159.203.201.224","ClientPort":"44370","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":97468,"Overhead":97468,"RequestAddr":"XXX.XXX.XXX.XXX","RequestContentSize":0,"RequestCount":73,"RequestHost":"XXX.XXX.XXX.XXX","RequestMethod":"GET","RequestPath":"/manager/text/list","RequestPort":"-","RequestProtocol":"HTTP/1.1","RetryAttempts":0,"StartLocal":"2019-10-27T00:37:04.166342278Z","StartUTC":"2019-10-27T00:37:04.166342278Z","level":"info","msg":"","time":"2019-10-27T00:37:04Z"}

The text was updated successfully, but these errors were encountered:

sebres · 2019-10-27T21:50:54Z

This could be a timezone issue - fail2ban will not recognize datepattern with UTC timezone (Z after nanoseconds, because it knows only patterns with milli- and microseconds per default).
You have to specify your own datepattern... for example %Y-%m-%d[T ]%H:%M:%S.%f\d*(%z)?, so \d* between %f and %z solves the issue and TZ will be captured successfully.

See the (2 hours) difference calling it verbose with and without datepaterrn:

- fail2ban-regex -vv "$msg" "$re"
+ fail2ban-regex -vv -d '"StartLocal"\s*:\s*"%Y-%m-%d[T ]%H:%M:%S\.%f\d*(%z)?",' "$msg" "$re"
...
-      159.203.201.224  Sun Oct 27 00:37:04 2019
+      159.203.201.224  Sun Oct 27 02:37:04 2019

Fail2ban will ignore this messages as too old (larger as findtime and/or bantime).

BTW. your regex is pretty vulnerable (^.* is not an anchor at all, too many catch-alls, etc pp), better use something like this:

[Definition]

_groupsre = (?:(?:\s*"\w+":(?:"[^"]+"|\w+),)*)\s*
failregex = ^\{%(_groupsre)s"ClientHost":"<HOST>",%(_groupsre)s"DownstreamStatus":404\b

datepattern = "StartLocal"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S\.%%f\d*(%%z)?",

DeKubus · 2019-10-28T19:24:17Z

Thas was the problem, thank you!

sebres closed this as completed Oct 27, 2019

sebres added closed-as-incorrect how-to labels Oct 27, 2019

bf8392 mentioned this issue Jan 16, 2020

traefik 2.1 not working (can't set timezone in traefik accesslogs [always UTC]) crazy-max/docker-fail2ban#35

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fail2ban does not work with Traefik 2.0 logs #2558

fail2ban does not work with Traefik 2.0 logs #2558

DeKubus commented Oct 27, 2019 •

edited

sebres commented Oct 27, 2019

DeKubus commented Oct 28, 2019

fail2ban does not work with Traefik 2.0 logs #2558

fail2ban does not work with Traefik 2.0 logs #2558

Comments

DeKubus commented Oct 27, 2019 • edited

The issue:

Steps to reproduce

Expected behavior

Observed behavior

Any additional information

Configuration, dump and another helpful excerpts

Any customizations done to /etc/fail2ban/ configuration

Relevant parts of /var/log/fail2ban.log file:

Relevant lines from monitored log files in question:

sebres commented Oct 27, 2019

DeKubus commented Oct 28, 2019

DeKubus commented Oct 27, 2019 •

edited