You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fill out and check ([x]) the boxes which apply. If your Fail2Ban version is outdated,
and you can't verify that the issue persists in the recent release, better seek support
from the distribution you obtained Fail2Ban from
Fail2Ban version (including any possible distribution suffixes):
0.10.2-2.1 all
OS, including release name/version:
Debian GNU/Linux 10 (buster)
Fail2Ban installed via OS/distribution mechanisms
You have not applied any additional foreign patches to the codebase
Some customizations were done to the configuration (provide details below is so)
The issue:
If i use "PasswordAuthentication" for ssh every thing works as expected and the IP will be banned. But if i use "PubkeyAuthentication" for ssh fail2ban did not recognize the "Failed publickey" in the /var/log/auth.log and no IP will be banned.
The only Failregex which is increment by 1 for a "Failed publickey" is "^Connection from "
Steps to reproduce
Configure the /etc/ssh/ssd_config:
PasswordAuthentication no
PubkeyAuthentication yes
Expected behavior
fail2ban will found "Failed publickey" in the /var/log/auth.log and ban the IP
Observed behavior
fail2ban did not recognize "Failed publickey" and in /var/log/fail2ban.log is no "found" entry.
The IP which is trying to login with a wrong key is not banned.
Any additional information
Configuration, dump and another helpful excerpts
fail2ban-regex /var/log/auth.log sshd.conf
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : Default Detectors
Use log file : /var/log/auth.log
Use encoding : UTF-8
Results
=======
Failregex: 103 total
|- #) [# of hits] regular expression
| 3) [2] ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
| 4) [8] ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
| 6) [2] ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?\s*$
| 14) [7] ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*(?: \[preauth\])?\s*$
| 20) [36] ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
| 21) [48] ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [911] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 911 lines, 0 ignored, 103 matched, 808 missed
[processed in 0.08 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 808 lines
and after a "Failed publickey" login it only increments the last Failregex.
fail2ban-regex /var/log/auth.log sshd.conf
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : Default Detectors
Use log file : /var/log/auth.log
Use encoding : UTF-8
Results
=======
Failregex: 104 total
|- #) [# of hits] regular expression
| 3) [2] ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
| 4) [8] ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
| 6) [2] ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?\s*$
| 14) [7] ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*(?: \[preauth\])?\s*$
| 20) [36] ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
| 21) [49] ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [914] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 914 lines, 0 ignored, 104 matched, 810 missed
[processed in 0.08 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 810 lines
if i check all the missed lines you can see that fail2ban is missing the line with "Failed publickey"
fail2ban-regex /var/log/auth.log sshd.conf --print-all-missed | grep 'Failed publickey'
| May 15 06:45:31 localhost sshd[6192]: Failed publickey for user from x.x.x.x port 54527 ssh2: RSA SHA256:8kvrakdQyRVp5tRqU6/HrPmeJ2sb3oVYuek+KgEn1Nf
Any customizations done to /etc/fail2ban/ configuration
Configuration is in /etc/fail2ban/jail.local. I have copied the jail.conf
[sshd]# To use more aggressive sshd modes set filter parameter "mode" in jail.local:# normal (default), ddos, extra or aggressive (combines all).# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.#mode = normalenabled = true
port = 9256
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = %(action_)s
Relevant parts of /var/log/fail2ban.log file:
preferably obtained while running fail2ban with loglevel = 4
2020-05-15 11:38:28,464 fail2ban.jail [7990]: INFO Jail 'sshd' uses pyinotify {}
2020-05-15 11:38:28,466 fail2ban.jail [7990]: INFO Initiated 'pyinotify' backend
2020-05-15 11:38:28,467 fail2ban.filter [7990]: INFO maxLines: 1
2020-05-15 11:38:28,485 fail2ban.server [7990]: INFO Jail sshd is not a JournalFilter instance
2020-05-15 11:38:28,486 fail2ban.filter [7990]: INFO Added logfile: '/var/log/auth.log' (pos = 97800, hash = ccb0555b819229c3ba610c82d00de8c3e5ae8dee)
2020-05-15 11:38:28,486 fail2ban.filter [7990]: INFO encoding: UTF-8
2020-05-15 11:38:28,487 fail2ban.filter [7990]: INFO maxRetry: 2
2020-05-15 11:38:28,487 fail2ban.filter [7990]: INFO findtime: 120
2020-05-15 11:38:28,487 fail2ban.actions [7990]: INFO banTime: 60
2020-05-15 11:38:28,488 fail2ban.jail [7990]: INFO Jail 'sshd' started
2020-05-15 11:39:45,263 fail2ban.filterpyinotify[7990]: DEBUG Event queue size: 16
2020-05-15 11:39:45,263 fail2ban.filterpyinotify[7990]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-05-15 11:39:45,263 fail2ban.filterpyinotify[7990]: TRACE [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2020-05-15 11:39:45,263 fail2ban.filter [7990]: TRACE Working on line 'May 15 11:39:45 localhost sshd[8020]: Connection from x.x.x.x port 54462 on y.y.y.y port 9256\n'
2020-05-15 11:39:45,263 fail2ban.datedetector [7990]: HEAVY try to match time for line: May 15 11:39:45 localhost sshd[8020]: Connection from x.x.x.x port 54462 on y.y.y.y port 9256
2020-05-15 11:39:45,263 fail2ban.datedetector [7990]: HEAVY try to match last anchored template #00 ...
2020-05-15 11:39:45,263 fail2ban.datedetector [7990]: Level 6 matched last time template #00
2020-05-15 11:39:45,264 fail2ban.datedetector [7990]: Level 6 got time 1589535585.000000 for 'May 15 11:39:45' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for match of [('', 'May 15 11:39:45', ' localhost sshd[8020]: Connection from x.x.x.x port 54462 on y.y.y.y port 9256')]
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: TRACE Pre-filter matched {'mlfid': ' localhost sshd[8020]: ', 'content': 'Connection from x.x.x.x port 54462 on y.y.y.y port 9256'}
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2020-05-15 11:39:45,264 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2020-05-15 11:39:45,265 fail2ban.filter [7990]: TRACE Matched FailRegex('^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))')
2020-05-15 11:39:45,265 fail2ban.filter [7990]: TRACE Nofail by mlfid ' localhost sshd[8020]: ' in regex 20: waiting for failure
2020-05-15 11:39:45,652 fail2ban.filterpyinotify[7990]: DEBUG Event queue size: 16
2020-05-15 11:39:45,652 fail2ban.filterpyinotify[7990]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-05-15 11:39:45,652 fail2ban.filterpyinotify[7990]: TRACE [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2020-05-15 11:39:45,652 fail2ban.filter [7990]: TRACE Working on line 'May 15 11:39:45 localhost sshd[8020]: Failed publickey for user from x.x.x.x port 54462 ssh2: RSA SHA256:8kvrakdQyRVp5tRqU6/HrPmeJ2sb3oVYuek+KgEn1Nf\n'
2020-05-15 11:39:45,652 fail2ban.datedetector [7990]: HEAVY try to match time for line: May 15 11:39:45 localhost sshd[8020]: Failed publickey for user from x.x.x.x port 54462 ssh2: RSA SHA256:8kvrakd
2020-05-15 11:39:45,652 fail2ban.datedetector [7990]: HEAVY try to match last anchored template #00 ...
2020-05-15 11:39:45,652 fail2ban.datedetector [7990]: Level 6 matched last time template #00
2020-05-15 11:39:45,652 fail2ban.datedetector [7990]: Level 6 got time 1589535585.000000 for 'May 15 11:39:45' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2020-05-15 11:39:45,652 fail2ban.filter [7990]: HEAVY Looking for match of [('', 'May 15 11:39:45', ' localhost sshd[8020]: Failed publickey for user from x.x.x.x port 54462 ssh2: RSA SHA256:8kvrakdQyRVp5tRqU6/HrPmeJ2sb3oVYuek+KgEn1Nf')]
2020-05-15 11:39:45,652 fail2ban.filter [7990]: HEAVY Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2020-05-15 11:39:45,652 fail2ban.filter [7990]: TRACE Pre-filter matched {'mlfid': ' localhost sshd[8020]: ', 'content': 'Failed publickey for user from x.x.x.x port 54462 ssh2: RSA SHA256:8kvrakdQyRVp5tRqU6/HrPmeJ2sb3oVYuek+KgEn1Nf'}
2020-05-15 11:39:45,652 fail2ban.filter [7990]: HEAVY Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,652 fail2ban.filter [7990]: HEAVY Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,652 fail2ban.filter [7990]: HEAVY Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2020-05-15 11:39:45,653 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2020-05-15 11:39:45,687 fail2ban.filterpyinotify[7990]: DEBUG Event queue size: 16
2020-05-15 11:39:45,687 fail2ban.filterpyinotify[7990]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-05-15 11:39:45,688 fail2ban.filterpyinotify[7990]: TRACE [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2020-05-15 11:39:45,688 fail2ban.filter [7990]: TRACE Working on line 'May 15 11:39:45 localhost sshd[8020]: Connection closed by authenticating user user x.x.x.x port 54462 [preauth]\n'
2020-05-15 11:39:45,688 fail2ban.datedetector [7990]: HEAVY try to match time for line: May 15 11:39:45 localhost sshd[8020]: Connection closed by authenticating user user x.x.x.x port 54462 [preauth]
2020-05-15 11:39:45,688 fail2ban.datedetector [7990]: HEAVY try to match last anchored template #00 ...
2020-05-15 11:39:45,688 fail2ban.datedetector [7990]: Level 6 matched last time template #00
2020-05-15 11:39:45,688 fail2ban.datedetector [7990]: Level 6 got time 1589535585.000000 for 'May 15 11:39:45' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2020-05-15 11:39:45,688 fail2ban.filter [7990]: HEAVY Looking for match of [('', 'May 15 11:39:45', ' localhost sshd[8020]: Connection closed by authenticating user user x.x.x.x port 54462 [preauth]')]
2020-05-15 11:39:45,689 fail2ban.filter [7990]: HEAVY Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2020-05-15 11:39:45,689 fail2ban.filter [7990]: TRACE Pre-filter matched {'mlfid': ' localhost sshd[8020]: ', 'content': 'Connection closed by authenticating user user x.x.x.x port 54462 [preauth]'}
2020-05-15 11:39:45,689 fail2ban.filter [7990]: HEAVY Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,689 fail2ban.filter [7990]: HEAVY Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,689 fail2ban.filter [7990]: HEAVY Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,689 fail2ban.filter [7990]: HEAVY Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,689 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,690 fail2ban.filter [7990]: HEAVY Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2020-05-15 11:39:45,690 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,690 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter [7990]: HEAVY Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter [7990]: HEAVY Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter [7990]: HEAVY Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2020-05-15 11:39:45,691 fail2ban.filter [7990]: HEAVY Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter [7990]: HEAVY Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter [7990]: HEAVY Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,692 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,692 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2020-05-15 11:39:45,692 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,692 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2020-05-15 11:39:45,692 fail2ban.filter [7990]: HEAVY Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
Relevant lines from monitored log files in question:
The text was updated successfully, but these errors were encountered:
There are already too many issues about failed public key (for instance #2188).
Shortly it is not correct, fail2ban recognizes well this attempts, but ignoring (does not consider as immediate failure, due to problem #1263) unless other failures occur (and no successful access was gained in the session).
You did not fill section "relevant lines from monitored log files in question" of our issue template, so it is difficult to predict how the "attack" does look in your case.
Expected is an excerpt with ALL messages from single session, so containing same prefix like sshd[6192].
Environment:
Fill out and check (
[x]
) the boxes which apply. If your Fail2Ban version is outdated,and you can't verify that the issue persists in the recent release, better seek support
from the distribution you obtained Fail2Ban from
0.10.2-2.1 all
Debian GNU/Linux 10 (buster)
The issue:
If i use "PasswordAuthentication" for ssh every thing works as expected and the IP will be banned. But if i use "PubkeyAuthentication" for ssh fail2ban did not recognize the "Failed publickey" in the /var/log/auth.log and no IP will be banned.
The only Failregex which is increment by 1 for a "Failed publickey" is "^Connection from "
Steps to reproduce
Configure the /etc/ssh/ssd_config:
PasswordAuthentication no
PubkeyAuthentication yes
Expected behavior
fail2ban will found "Failed publickey" in the /var/log/auth.log and ban the IP
Observed behavior
fail2ban did not recognize "Failed publickey" and in /var/log/fail2ban.log is no "found" entry.
The IP which is trying to login with a wrong key is not banned.
Any additional information
Configuration, dump and another helpful excerpts
fail2ban-regex /var/log/auth.log sshd.conf
and after a "Failed publickey" login it only increments the last Failregex.
fail2ban-regex /var/log/auth.log sshd.conf
if i check all the missed lines you can see that fail2ban is missing the line with "Failed publickey"
Any customizations done to /etc/fail2ban/ configuration
Configuration is in /etc/fail2ban/jail.local. I have copied the jail.conf
Relevant parts of /var/log/fail2ban.log file:
preferably obtained while running fail2ban with
loglevel = 4
Relevant lines from monitored log files in question:
The text was updated successfully, but these errors were encountered: