Skip to content

[FR]: Ubuntu 22.04.4 LTS fail2ban Unable to match some authentication failure logs #3748

Closed as not planned
Closed as not planned
[FR]: Ubuntu 22.04.4 LTS fail2ban Unable to match some authentication failure logs#3748
Labels
closed-as-duplicateclosed-as-incorrectfilter-requesthow-to
@watchingfun

Description

@watchingfun
watchingfun
opened on May 17, 2024

Environment:

  • Fail2Ban version : 0.11.2
  • OS, including release name/version :
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy

Service, project or product which log or journal should be monitored

  • Name of filter or jail in Fail2Ban (if already exists) : sshd
  • Service, project or product name, including release name/version :
  • Repository or URL (if known) :
  • Service type :
  • Ports and protocols the service is listening :

Log or journal information

May 17 15:09:59 instance-20240513-1553 sshd[3891]: Disconnected from authenticating user root 103.151.173.102 port 22620 [preauth]
May 17 15:10:06 instance-20240513-1553 sshd[3893]: Received disconnect from 103.151.173.102 port 26126:11:  [preauth]
May 17 15:10:06 instance-20240513-1553 sshd[3893]: Disconnected from authenticating user root 103.151.173.102 port 26126 [preauth]
May 17 15:10:06 instance-20240513-1553 sshd[3895]: Received disconnect from 103.151.173.102 port 22295:11:  [preauth]

May 17 15:55:02 instance-20240513-1553 sshd[4396]: Connection closed by authenticating user root 183.81.169.238 port 50142 [preauth]
May 17 15:55:05 instance-20240513-1553 sshd[4524]: Connection closed by authenticating user root 183.81.169.238 port 50196 [preauth]
May 17 15:55:09 instance-20240513-1553 sshd[4553]: Connection closed by authenticating user root 183.81.169.238 port 44906 [preauth]
May 17 15:55:10 instance-20240513-1553 sshd[4557]: error: kex_exchange_identification: read: Connection reset by peer
May 17 15:55:10 instance-20240513-1553 sshd[4557]: Connection reset by 183.81.169.238 port 44910
  • Log file name(s) : /var/log/auth.log
  • Journal identifier or unit name :

Any additional information

Relevant lines from monitored log files:

failures in sense of fail2ban filter (fail2ban must match):

legitimate messages (fail2ban should not consider as failures):

extra:

The ip I use is 103.151.173.102
add ^Disconnected from authenticating user <F-USER>.*?</F-USER> <HOST>%(__suff)s$ to /etc/fail2ban/filter.d/sshd.conf , /var/log/fail2ban.log finally has logs, and [found] and [ban] can be normal

Metadata

Metadata

Assignees

No one assigned

    Labels

    closed-as-duplicateclosed-as-incorrectfilter-requesthow-to

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions