Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sshd Filter does not recognize "Failed publickey" in auth.log #2726

Closed
3 tasks done
Chips83 opened this issue May 15, 2020 · 1 comment
Closed
3 tasks done

sshd Filter does not recognize "Failed publickey" in auth.log #2726

Chips83 opened this issue May 15, 2020 · 1 comment
Labels
closed-as-duplicate closed-as-incorrect

Comments

@Chips83
Copy link

Chips83 commented May 15, 2020
edited by sebres

Environment:

Fill out and check ([x]) the boxes which apply. If your Fail2Ban version is outdated,
and you can't verify that the issue persists in the recent release, better seek support
from the distribution you obtained Fail2Ban from

  • Fail2Ban version (including any possible distribution suffixes):
    0.10.2-2.1 all
  • OS, including release name/version:
    Debian GNU/Linux 10 (buster)
  • Fail2Ban installed via OS/distribution mechanisms
  • You have not applied any additional foreign patches to the codebase
  • Some customizations were done to the configuration (provide details below is so)

The issue:

If i use "PasswordAuthentication" for ssh every thing works as expected and the IP will be banned. But if i use "PubkeyAuthentication" for ssh fail2ban did not recognize the "Failed publickey" in the /var/log/auth.log and no IP will be banned.

The only Failregex which is increment by 1 for a "Failed publickey" is "^Connection from "

Steps to reproduce

Configure the /etc/ssh/ssd_config:
PasswordAuthentication no
PubkeyAuthentication yes

Expected behavior

fail2ban will found "Failed publickey" in the /var/log/auth.log and ban the IP

Observed behavior

fail2ban did not recognize "Failed publickey" and in /var/log/fail2ban.log is no "found" entry.
The IP which is trying to login with a wrong key is not banned.

Any additional information

Configuration, dump and another helpful excerpts

fail2ban-regex /var/log/auth.log sshd.conf

Running tests
=============

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use         maxlines : 1
Use      datepattern : Default Detectors
Use         log file : /var/log/auth.log
Use         encoding : UTF-8


Results
=======

Failregex: 103 total
|-  #) [# of hits] regular expression
|   3) [2] ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|   4) [8] ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|   6) [2] ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?\s*$
|  14) [7] ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*(?: \[preauth\])?\s*$
|  20) [36] ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
|  21) [48] ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [911] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 911 lines, 0 ignored, 103 matched, 808 missed
[processed in 0.08 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 808 lines

and after a "Failed publickey" login it only increments the last Failregex.

fail2ban-regex /var/log/auth.log sshd.conf

Running tests
=============

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use         maxlines : 1
Use      datepattern : Default Detectors
Use         log file : /var/log/auth.log
Use         encoding : UTF-8


Results
=======

Failregex: 104 total
|-  #) [# of hits] regular expression
|   3) [2] ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|   4) [8] ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|   6) [2] ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?\s*$
|  14) [7] ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*(?: \[preauth\])?\s*$
|  20) [36] ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
|  21) [49] ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [914] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 914 lines, 0 ignored, 104 matched, 810 missed
[processed in 0.08 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 810 lines

if i check all the missed lines you can see that fail2ban is missing the line with "Failed publickey"

fail2ban-regex /var/log/auth.log sshd.conf --print-all-missed | grep 'Failed publickey'
|  May 15 06:45:31 localhost sshd[6192]: Failed publickey for user from x.x.x.x port 54527 ssh2: RSA SHA256:8kvrakdQyRVp5tRqU6/HrPmeJ2sb3oVYuek+KgEn1Nf

Any customizations done to /etc/fail2ban/ configuration

Configuration is in /etc/fail2ban/jail.local. I have copied the jail.conf

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
port    = 9256
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = %(action_)s

Relevant parts of /var/log/fail2ban.log file:

preferably obtained while running fail2ban with loglevel = 4

2020-05-15 11:38:28,464 fail2ban.jail           [7990]: INFO    Jail 'sshd' uses pyinotify {}
2020-05-15 11:38:28,466 fail2ban.jail           [7990]: INFO    Initiated 'pyinotify' backend
2020-05-15 11:38:28,467 fail2ban.filter         [7990]: INFO      maxLines: 1
2020-05-15 11:38:28,485 fail2ban.server         [7990]: INFO    Jail sshd is not a JournalFilter instance
2020-05-15 11:38:28,486 fail2ban.filter         [7990]: INFO    Added logfile: '/var/log/auth.log' (pos = 97800, hash = ccb0555b819229c3ba610c82d00de8c3e5ae8dee)
2020-05-15 11:38:28,486 fail2ban.filter         [7990]: INFO      encoding: UTF-8
2020-05-15 11:38:28,487 fail2ban.filter         [7990]: INFO      maxRetry: 2
2020-05-15 11:38:28,487 fail2ban.filter         [7990]: INFO      findtime: 120
2020-05-15 11:38:28,487 fail2ban.actions        [7990]: INFO      banTime: 60
2020-05-15 11:38:28,488 fail2ban.jail           [7990]: INFO    Jail 'sshd' started
2020-05-15 11:39:45,263 fail2ban.filterpyinotify[7990]: DEBUG   Event queue size: 16
2020-05-15 11:39:45,263 fail2ban.filterpyinotify[7990]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-05-15 11:39:45,263 fail2ban.filterpyinotify[7990]: TRACE   [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2020-05-15 11:39:45,263 fail2ban.filter         [7990]: TRACE   Working on line 'May 15 11:39:45 localhost sshd[8020]: Connection from x.x.x.x port 54462 on y.y.y.y port 9256\n'
2020-05-15 11:39:45,263 fail2ban.datedetector   [7990]: HEAVY   try to match time for line: May 15 11:39:45 localhost sshd[8020]: Connection from x.x.x.x port 54462 on y.y.y.y port 9256
2020-05-15 11:39:45,263 fail2ban.datedetector   [7990]: HEAVY     try to match last anchored template #00 ...
2020-05-15 11:39:45,263 fail2ban.datedetector   [7990]: Level 6   matched last time template #00
2020-05-15 11:39:45,264 fail2ban.datedetector   [7990]: Level 6   got time 1589535585.000000 for 'May 15 11:39:45' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY   Looking for match of [('', 'May 15 11:39:45', ' localhost sshd[8020]: Connection from x.x.x.x port 54462 on y.y.y.y port 9256')]
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: TRACE     Pre-filter matched {'mlfid': ' localhost sshd[8020]: ', 'content': 'Connection from x.x.x.x port 54462 on y.y.y.y port 9256'}
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2020-05-15 11:39:45,264 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2020-05-15 11:39:45,265 fail2ban.filter         [7990]: TRACE     Matched FailRegex('^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))')
2020-05-15 11:39:45,265 fail2ban.filter         [7990]: TRACE   Nofail by mlfid ' localhost sshd[8020]: ' in regex 20: waiting for failure
2020-05-15 11:39:45,652 fail2ban.filterpyinotify[7990]: DEBUG   Event queue size: 16
2020-05-15 11:39:45,652 fail2ban.filterpyinotify[7990]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-05-15 11:39:45,652 fail2ban.filterpyinotify[7990]: TRACE   [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2020-05-15 11:39:45,652 fail2ban.filter         [7990]: TRACE   Working on line 'May 15 11:39:45 localhost sshd[8020]: Failed publickey for user from x.x.x.x port 54462 ssh2: RSA SHA256:8kvrakdQyRVp5tRqU6/HrPmeJ2sb3oVYuek+KgEn1Nf\n'
2020-05-15 11:39:45,652 fail2ban.datedetector   [7990]: HEAVY   try to match time for line: May 15 11:39:45 localhost sshd[8020]: Failed publickey for user from x.x.x.x port 54462 ssh2: RSA SHA256:8kvrakd
2020-05-15 11:39:45,652 fail2ban.datedetector   [7990]: HEAVY     try to match last anchored template #00 ...
2020-05-15 11:39:45,652 fail2ban.datedetector   [7990]: Level 6   matched last time template #00
2020-05-15 11:39:45,652 fail2ban.datedetector   [7990]: Level 6   got time 1589535585.000000 for 'May 15 11:39:45' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2020-05-15 11:39:45,652 fail2ban.filter         [7990]: HEAVY   Looking for match of [('', 'May 15 11:39:45', ' localhost sshd[8020]: Failed publickey for user from x.x.x.x port 54462 ssh2: RSA SHA256:8kvrakdQyRVp5tRqU6/HrPmeJ2sb3oVYuek+KgEn1Nf')]
2020-05-15 11:39:45,652 fail2ban.filter         [7990]: HEAVY     Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2020-05-15 11:39:45,652 fail2ban.filter         [7990]: TRACE     Pre-filter matched {'mlfid': ' localhost sshd[8020]: ', 'content': 'Failed publickey for user from x.x.x.x port 54462 ssh2: RSA SHA256:8kvrakdQyRVp5tRqU6/HrPmeJ2sb3oVYuek+KgEn1Nf'}
2020-05-15 11:39:45,652 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,652 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,652 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2020-05-15 11:39:45,653 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'
2020-05-15 11:39:45,687 fail2ban.filterpyinotify[7990]: DEBUG   Event queue size: 16
2020-05-15 11:39:45,687 fail2ban.filterpyinotify[7990]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-05-15 11:39:45,688 fail2ban.filterpyinotify[7990]: TRACE   [sshd] Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var/log/auth.log wd=2 >
2020-05-15 11:39:45,688 fail2ban.filter         [7990]: TRACE   Working on line 'May 15 11:39:45 localhost sshd[8020]: Connection closed by authenticating user user x.x.x.x port 54462 [preauth]\n'
2020-05-15 11:39:45,688 fail2ban.datedetector   [7990]: HEAVY   try to match time for line: May 15 11:39:45 localhost sshd[8020]: Connection closed by authenticating user user x.x.x.x port 54462 [preauth]
2020-05-15 11:39:45,688 fail2ban.datedetector   [7990]: HEAVY     try to match last anchored template #00 ...
2020-05-15 11:39:45,688 fail2ban.datedetector   [7990]: Level 6   matched last time template #00
2020-05-15 11:39:45,688 fail2ban.datedetector   [7990]: Level 6   got time 1589535585.000000 for 'May 15 11:39:45' using template {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
2020-05-15 11:39:45,688 fail2ban.filter         [7990]: HEAVY   Looking for match of [('', 'May 15 11:39:45', ' localhost sshd[8020]: Connection closed by authenticating user user x.x.x.x port 54462 [preauth]')]
2020-05-15 11:39:45,689 fail2ban.filter         [7990]: HEAVY     Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2020-05-15 11:39:45,689 fail2ban.filter         [7990]: TRACE     Pre-filter matched {'mlfid': ' localhost sshd[8020]: ', 'content': 'Connection closed by authenticating user user x.x.x.x port 54462 [preauth]'}
2020-05-15 11:39:45,689 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,689 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,689 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^Failed \\S+ for invalid user (?P<user>(?P<cond_user>\\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,689 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-05-15 11:39:45,689 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,690 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2020-05-15 11:39:45,690 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,690 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter         [7990]: HEAVY     Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2020-05-15 11:39:45,691 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,691 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,692 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2020-05-15 11:39:45,692 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2020-05-15 11:39:45,692 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2020-05-15 11:39:45,692 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \\S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?:\\s|$)'
2020-05-15 11:39:45,692 fail2ban.filter         [7990]: HEAVY     Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'

Relevant lines from monitored log files in question:
@sebres
Copy link
Contributor

sebres commented May 15, 2020
edited

There are already too many issues about failed public key (for instance #2188).

Shortly it is not correct, fail2ban recognizes well this attempts, but ignoring (does not consider as immediate failure, due to problem #1263) unless other failures occur (and no successful access was gained in the session).

You did not fill section "relevant lines from monitored log files in question" of our issue template, so it is difficult to predict how the "attack" does look in your case.
Expected is an excerpt with ALL messages from single session, so containing same prefix like sshd[6192].

Also please note #1477 (comment) and below.

If you nevertheless need directly identifying of such attempts as failures, see #2188 (comment).

@sebres sebres closed this as completed May 15, 2020
@sebres sebres mentioned this issue Jun 26, 2020
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed-as-duplicate closed-as-incorrect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebres @Chips83