You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Any customizations done to /etc/fail2ban/ configuration
Custom filter / jail.
Relevant parts of /var/log/fail2ban.log file:
2019-10-27 21:08:12,751 fail2ban.filterpyinotify[29989]: DEBUG Event queue size: 16
2019-10-27 21:08:12,752 fail2ban.filterpyinotify[29989]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2019-10-27 21:08:12,752 fail2ban.filterpyinotify[29989]: TRACE [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2019-10-27 21:08:12,753 fail2ban.filter [29989]: TRACE Working on line 'Oct 27 21:08:12 skynet sudo: USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/fail2ban-client set loglevel HEAVYDEBUG\n'
2019-10-27 21:08:12,753 fail2ban.datedetector [29989]: HEAVY try to match time for line: Oct 27 21:08:12 skynet sudo: USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/fail2ban-client set l
2019-10-27 21:08:12,753 fail2ban.datedetector [29989]: HEAVY try to match last anchored template #00 ...
2019-10-27 21:08:12,753 fail2ban.datedetector [29989]: Level 6 matched last time template #00
2019-10-27 21:08:12,753 fail2ban.datedetector [29989]: Level 6 got time 1572206892.000000 for 'Oct 27 21:08:12' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2019-10-27 21:08:12,754 fail2ban.filter [29989]: HEAVY Looking for match of [('', 'Oct 27 21:08:12', ' skynet sudo: USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/fail2ban-client set loglevel HEAVYDEBUG')]
2019-10-27 21:08:12,754 fail2ban.filter [29989]: HEAVY Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2019-10-27 21:08:12,754 fail2ban.filter [29989]: TRACE Pre-filter matched {'mlfid': ' skynet ', 'content': 'sudo: USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/fail2ban-client set loglevel HEAVYDEBUG'}
2019-10-27 21:08:12,754 fail2ban.filter [29989]: HEAVY Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,755 fail2ban.filter [29989]: HEAVY Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,755 fail2ban.filter [29989]: HEAVY Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,755 fail2ban.filter [29989]: HEAVY Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,755 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,755 fail2ban.filter [29989]: HEAVY Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2019-10-27 21:08:12,755 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,755 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter [29989]: HEAVY Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter [29989]: HEAVY Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter [29989]: HEAVY Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2019-10-27 21:08:12,756 fail2ban.filter [29989]: HEAVY Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter [29989]: HEAVY Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,756 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,757 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,757 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2019-10-27 21:08:12,757 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,757 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2019-10-27 21:08:12,757 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2019-10-27 21:08:12,757 fail2ban.filter [29989]: TRACE Working on line 'Oct 27 21:08:12 skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)\n'
2019-10-27 21:08:12,757 fail2ban.datedetector [29989]: HEAVY try to match time for line: Oct 27 21:08:12 skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)
2019-10-27 21:08:12,758 fail2ban.datedetector [29989]: HEAVY try to match last anchored template #00 ...
2019-10-27 21:08:12,758 fail2ban.datedetector [29989]: Level 6 matched last time template #00
2019-10-27 21:08:12,758 fail2ban.datedetector [29989]: Level 6 got time 1572206892.000000 for 'Oct 27 21:08:12' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2019-10-27 21:08:12,758 fail2ban.filter [29989]: HEAVY Looking for match of [('', 'Oct 27 21:08:12', ' skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)')]
2019-10-27 21:08:12,758 fail2ban.filter [29989]: HEAVY Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2019-10-27 21:08:12,758 fail2ban.filter [29989]: TRACE Pre-filter matched {'mlfid': ' skynet ', 'content': 'sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)'}
2019-10-27 21:08:12,759 fail2ban.filter [29989]: HEAVY Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,759 fail2ban.filter [29989]: HEAVY Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,759 fail2ban.filter [29989]: HEAVY Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,759 fail2ban.filter [29989]: HEAVY Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,759 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,759 fail2ban.filter [29989]: HEAVY Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2019-10-27 21:08:12,759 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,759 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter [29989]: HEAVY Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter [29989]: HEAVY Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter [29989]: HEAVY Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2019-10-27 21:08:12,760 fail2ban.filter [29989]: HEAVY Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,760 fail2ban.filter [29989]: HEAVY Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,761 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,761 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,761 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2019-10-27 21:08:12,761 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,761 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2019-10-27 21:08:12,761 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2019-10-27 21:08:12,761 fail2ban.filter [29989]: TRACE Working on line 'Oct 27 21:08:12 skynet sudo: pam_unix(sudo:session): session closed for user root\n'
2019-10-27 21:08:12,762 fail2ban.datedetector [29989]: HEAVY try to match time for line: Oct 27 21:08:12 skynet sudo: pam_unix(sudo:session): session closed for user root
2019-10-27 21:08:12,762 fail2ban.datedetector [29989]: HEAVY try to match last anchored template #00 ...
2019-10-27 21:08:12,762 fail2ban.datedetector [29989]: Level 6 matched last time template #00
2019-10-27 21:08:12,762 fail2ban.datedetector [29989]: Level 6 got time 1572206892.000000 for 'Oct 27 21:08:12' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2019-10-27 21:08:12,762 fail2ban.filter [29989]: HEAVY Looking for match of [('', 'Oct 27 21:08:12', ' skynet sudo: pam_unix(sudo:session): session closed for user root')]
2019-10-27 21:08:12,762 fail2ban.filter [29989]: HEAVY Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2019-10-27 21:08:12,763 fail2ban.filter [29989]: TRACE Pre-filter matched {'mlfid': ' skynet ', 'content': 'sudo: pam_unix(sudo:session): session closed for user root'}
2019-10-27 21:08:12,763 fail2ban.filter [29989]: HEAVY Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,763 fail2ban.filter [29989]: HEAVY Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,763 fail2ban.filter [29989]: HEAVY Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,763 fail2ban.filter [29989]: HEAVY Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:12,763 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,763 fail2ban.filter [29989]: HEAVY Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2019-10-27 21:08:12,763 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter [29989]: HEAVY Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter [29989]: HEAVY Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,764 fail2ban.filter [29989]: HEAVY Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2019-10-27 21:08:12,764 fail2ban.filter [29989]: HEAVY Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,765 fail2ban.filter [29989]: HEAVY Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,765 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,765 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:12,765 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2019-10-27 21:08:12,765 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:12,765 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2019-10-27 21:08:12,765 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2019-10-27 21:08:16,145 fail2ban.filterpyinotify[29989]: DEBUG Event queue size: 16
2019-10-27 21:08:16,145 fail2ban.filterpyinotify[29989]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2019-10-27 21:08:16,145 fail2ban.filterpyinotify[29989]: TRACE [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2019-10-27 21:08:16,145 fail2ban.filter [29989]: TRACE Working on line 'Oct 27 21:08:16 skynet sudo: USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/sbin/service fail2ban restart\n'
2019-10-27 21:08:16,145 fail2ban.datedetector [29989]: HEAVY try to match time for line: Oct 27 21:08:16 skynet sudo: USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/sbin/service fail2ban res
2019-10-27 21:08:16,145 fail2ban.datedetector [29989]: HEAVY try to match last anchored template #00 ...
2019-10-27 21:08:16,145 fail2ban.datedetector [29989]: Level 6 matched last time template #00
2019-10-27 21:08:16,145 fail2ban.datedetector [29989]: Level 6 got time 1572206896.000000 for 'Oct 27 21:08:16' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for match of [('', 'Oct 27 21:08:16', ' skynet sudo: USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/sbin/service fail2ban restart')]
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2019-10-27 21:08:16,145 fail2ban.filter [29989]: TRACE Pre-filter matched {'mlfid': ' skynet ', 'content': 'sudo: USER : TTY=pts/0 ; PWD=/home/USER ; USER=root ; COMMAND=/usr/sbin/service fail2ban restart'}
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,145 fail2ban.filter [29989]: HEAVY Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: TRACE Working on line 'Oct 27 21:08:16 skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)\n'
2019-10-27 21:08:16,146 fail2ban.datedetector [29989]: HEAVY try to match time for line: Oct 27 21:08:16 skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)
2019-10-27 21:08:16,146 fail2ban.datedetector [29989]: HEAVY try to match last anchored template #00 ...
2019-10-27 21:08:16,146 fail2ban.datedetector [29989]: Level 6 matched last time template #00
2019-10-27 21:08:16,146 fail2ban.datedetector [29989]: Level 6 got time 1572206896.000000 for 'Oct 27 21:08:16' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for match of [('', 'Oct 27 21:08:16', ' skynet sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)')]
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: TRACE Pre-filter matched {'mlfid': ' skynet ', 'content': 'sudo: pam_unix(sudo:session): session opened for user root by USER(uid=0)'}
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,146 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2019-10-27 21:08:16,147 fail2ban.filter [29989]: HEAVY Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2019-10-27 21:08:16,147 fail2ban.filterpyinotify[29989]: DEBUG Event queue size: 16
2019-10-27 21:08:16,147 fail2ban.filterpyinotify[29989]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2019-10-27 21:08:16,147 fail2ban.filterpyinotify[29989]: TRACE [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2019-10-27 21:08:16,189 fail2ban.transmitter [29989]: HEAVY Command: ['stop']
2019-10-27 21:08:16,189 fail2ban.server [29989]: INFO Shutdown in progress...
2019-10-27 21:08:16,189 fail2ban.asyncserver [29989]: DEBUG Stop communication
2019-10-27 21:08:16,189 fail2ban.server [29989]: INFO Stopping all jails
2019-10-27 21:08:16,189 fail2ban.jail [29989]: DEBUG Stopping jail 'sshd'
2019-10-27 21:08:16,189 fail2ban.filter [29989]: INFO Removed logfile: '/var/log/auth.log'
2019-10-27 21:08:16,189 fail2ban.filterpyinotify[29989]: DEBUG Watch WD=2 (None) removed
2019-10-27 21:08:16,189 fail2ban.filterpyinotify[29989]: DEBUG Removed file watcher for /var/log/auth.log
2019-10-27 21:08:16,189 fail2ban.filterpyinotify[29989]: DEBUG Event queue size: 32
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG <_RawEvent cookie=0 mask=0x8000 name='' wd=2 >
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG <_RawEvent cookie=0 mask=0x8000 name='' wd=1 >
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: TRACE [sshd] Default Callback for Event: <Event dir=False mask=0x8000 maskname=IN_IGNORED name='' path=/var/log pathname=/var/log wd=1 >
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG Ignoring event (IN_IGNORED) of /var/log we do not monitor
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG Watch WD=1 (None) removed
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG Removed monitor for the parent directory /var/log
2019-10-27 21:08:16,190 fail2ban.jail [29989]: DEBUG Stopping jail 'traefik_404'
2019-10-27 21:08:16,190 fail2ban.filter [29989]: INFO Removed logfile: '/home/USER/.app_configurations/traefik/logs/access.log'
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG Watch WD=2 (None) removed
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG Removed file watcher for /home/USER/.app_configurations/traefik/logs/access.log
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG Watch WD=1 (None) removed
2019-10-27 21:08:16,190 fail2ban.filterpyinotify[29989]: DEBUG Removed monitor for the parent directory /home/USER/.app_configurations/traefik/logs
2019-10-27 21:08:16,371 fail2ban.filterpyinotify[29989]: DEBUG [traefik_404] filter exited (pyinotifier)
2019-10-27 21:08:16,456 fail2ban.actions [29989]: DEBUG Flush ban list
2019-10-27 21:08:16,456 fail2ban.actions [29989]: NOTICE [traefik_404] Flush ticket(s) with iptables-multiport
2019-10-27 21:08:16,456 fail2ban.actions [29989]: DEBUG Unbanned 0, 0 ticket(s) in 'traefik_404'
2019-10-27 21:08:16,457 fail2ban.actions [29989]: DEBUG traefik_404: action iptables-multiport terminated
2019-10-27 21:08:16,457 fail2ban.actions [29989]: DEBUG Flush ban list
2019-10-27 21:08:16,457 fail2ban.actions [29989]: NOTICE [sshd] Flush ticket(s) with iptables-multiport
2019-10-27 21:08:16,457 fail2ban.actions [29989]: DEBUG Unbanned 0, 0 ticket(s) in 'sshd'
2019-10-27 21:08:16,457 fail2ban.actions [29989]: DEBUG sshd: action iptables-multiport terminated
2019-10-27 21:08:16,891 fail2ban.filterpyinotify[29989]: DEBUG [sshd] filter exited (pyinotifier)
2019-10-27 21:08:17,392 fail2ban.filterpyinotify[29989]: DEBUG [sshd] filter terminated (pyinotifier)
2019-10-27 21:08:17,392 fail2ban.jail [29989]: INFO Jail 'sshd' stopped
2019-10-27 21:08:17,392 fail2ban.filterpyinotify[29989]: DEBUG [traefik_404] filter terminated (pyinotifier)
2019-10-27 21:08:17,392 fail2ban.jail [29989]: INFO Jail 'traefik_404' stopped
2019-10-27 21:08:17,392 fail2ban.database [29989]: DEBUG Close connection to database ...
2019-10-27 21:08:17,392 fail2ban.database [29989]: INFO Connection to database closed.
2019-10-27 21:08:17,392 fail2ban.asyncserver [29989]: DEBUG Removed socket file /var/run/fail2ban/fail2ban.sock
2019-10-27 21:08:17,392 fail2ban.asyncserver [29989]: DEBUG Socket shutdown
2019-10-27 21:08:17,392 fail2ban.server [29989]: INFO Exiting Fail2ban
2019-10-27 21:08:17,392 fail2ban.server [29989]: DEBUG Remove PID file /var/run/fail2ban/fail2ban.pid
2019-10-27 21:08:17,392 fail2ban [29989]: HEAVY server phase {'start': True, 'ready': True, 'start-ready': True, 'configure': True, 'done': True}
2019-10-27 21:08:17,392 fail2ban [29989]: DEBUG Exit with code 0
2019-10-27 21:08:17,457 fail2ban.server [30939]: INFO --------------------------------------------------
2019-10-27 21:08:17,457 fail2ban.server [30939]: INFO Starting Fail2ban v0.10.2
2019-10-27 21:08:17,460 fail2ban.database [30939]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-10-27 21:08:17,461 fail2ban.jail [30939]: INFO Creating new jail 'sshd'
2019-10-27 21:08:17,467 fail2ban.jail [30939]: INFO Jail 'sshd' uses pyinotify {}
2019-10-27 21:08:17,469 fail2ban.jail [30939]: INFO Initiated 'pyinotify' backend
2019-10-27 21:08:17,470 fail2ban.filter [30939]: INFO maxLines: 1
2019-10-27 21:08:17,482 fail2ban.server [30939]: INFO Jail sshd is not a JournalFilter instance
2019-10-27 21:08:17,482 fail2ban.filter [30939]: INFO Added logfile: '/var/log/auth.log' (pos = 75405, hash = c4fdfe245ac9d4f58509b3e536ab3e7282032b1e)
2019-10-27 21:08:17,484 fail2ban.filter [30939]: INFO encoding: UTF-8
2019-10-27 21:08:17,484 fail2ban.filter [30939]: INFO maxRetry: 5
2019-10-27 21:08:17,484 fail2ban.filter [30939]: INFO findtime: 600
2019-10-27 21:08:17,484 fail2ban.actions [30939]: INFO banTime: 600
2019-10-27 21:08:17,485 fail2ban.jail [30939]: INFO Creating new jail 'traefik_404'
2019-10-27 21:08:17,485 fail2ban.jail [30939]: INFO Jail 'traefik_404' uses pyinotify {}
2019-10-27 21:08:17,487 fail2ban.jail [30939]: INFO Initiated 'pyinotify' backend
2019-10-27 21:08:17,488 fail2ban.filter [30939]: INFO Added logfile: '/home/USER/.app_configurations/traefik/logs/access.log' (pos = 249850, hash = e2f58cb5205fecbf34f94bfb6705287ce410f935)
2019-10-27 21:08:17,488 fail2ban.filter [30939]: INFO encoding: UTF-8
2019-10-27 21:08:17,489 fail2ban.filter [30939]: INFO maxRetry: 10
2019-10-27 21:08:17,489 fail2ban.filter [30939]: INFO findtime: 300
2019-10-27 21:08:17,489 fail2ban.actions [30939]: INFO banTime: 600
2019-10-27 21:08:17,490 fail2ban.jail [30939]: INFO Jail 'sshd' started
2019-10-27 21:08:17,490 fail2ban.jail [30939]: INFO Jail 'traefik_404' started
Relevant lines from monitored log files in question:
This could be a timezone issue - fail2ban will not recognize datepattern with UTC timezone (Z after nanoseconds, because it knows only patterns with milli- and microseconds per default).
You have to specify your own datepattern... for example %Y-%m-%d[T ]%H:%M:%S.%f\d*(%z)?, so \d* between %f and %z solves the issue and TZ will be captured successfully.
See the (2 hours) difference calling it verbose with and without datepaterrn:
- fail2ban-regex -vv "$msg" "$re"+ fail2ban-regex -vv -d '"StartLocal"\s*:\s*"%Y-%m-%d[T ]%H:%M:%S\.%f\d*(%z)?",' "$msg" "$re"
...
- 159.203.201.224 Sun Oct 27 00:37:04 2019+ 159.203.201.224 Sun Oct 27 02:37:04 2019
Fail2ban will ignore this messages as too old (larger as findtime and/or bantime).
BTW. your regex is pretty vulnerable (^.* is not an anchor at all, too many catch-alls, etc pp), better use something like this:
The issue:
fail2ban does not act on new entries in the log file. I do not even get log info which might lead me in the right direction.
Steps to reproduce
Create fail2ban config for Traefik:
jail
filter
See below for a sample entry in the log file. fail2ban-regex actually matches the failregex correctly
Expected behavior
fail2ban creates rules or at least writes something to the log file.
Observed behavior
Nothing happens.
Any additional information
What I tried:
Configuration, dump and another helpful excerpts
fail2ban-regex output (shortened):
Any customizations done to /etc/fail2ban/ configuration
Custom filter / jail.
Relevant parts of /var/log/fail2ban.log file:
Relevant lines from monitored log files in question:
The text was updated successfully, but these errors were encountered: