Fail2ban rules not working

Question

I'm using Ubuntu 12.04 and I've been seeing a bunch of failed SSH attempts into my server and I'm trying to add a rule to fail2Ban to block them, but my regex doesn't appear to be correct.

Does fail2ban look for N number of retries in a row, or is it that number of occurrences in the log? If it's the former (sequential retries from an IP), then I think my regex is correct and they're switching IP's just under the maximum number of tries.

So here's an example of what I've been seeing

Feb 13 18:41:37 sshd[22426]: Received disconnect from 186.42.181.66: 11: Bye Bye [preauth]
Feb 13 18:41:38 sshd[22428]: Received disconnect from 186.42.181.66: 11: Bye Bye [preauth]
Feb 13 18:41:39 sshd[22430]: reverse mapping checking getaddrinfo for host-190-95-232-234.uio.telconet.net [190.95.232.234] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 13 18:41:39 sshd[22430]: Received disconnect from 190.95.232.234: 11: Bye Bye [preauth]
Feb 13 18:41:40 sshd[22432]: Received disconnect from 186.42.181.66: 11: Bye Bye [preauth]
Feb 13 18:41:41 sshd[22434]: reverse mapping checking getaddrinfo for host-190-95-232-234.uio.telconet.net [190.95.232.234] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 13 18:41:42 sshd[22434]: Received disconnect from 190.95.232.234: 11: Bye Bye [preauth]
Feb 13 18:41:43 sshd[22436]: Received disconnect from 186.42.181.66: 11: Bye Bye [preauth]
Feb 13 18:41:44 sshd[22438]: Received disconnect from 186.42.181.66: 11: Bye Bye [preauth]
Feb 13 18:41:45 sshd[22440]: reverse mapping checking getaddrinfo for host-190-95-232-234.uio.telconet.net [190.95.232.234] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 13 18:41:45 sshd[22440]: Received disconnect from 190.95.232.234: 11: Bye Bye [preauth]
Feb 13 18:41:46 sshd[22442]: Received disconnect from 186.42.181.66: 11: Bye Bye [preauth]

Here's the SSH section in jail.conf

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log  #this is the correct file
maxretry = 5
bantime  = 86400

Here are the two lines of regex in sshd.conf that correlate to the examples above

^%(__prefix_line)sReceived disconnect from <HOST>: 11: Bye Bye \[preauth\]\s*$ 
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$

I have restarted fail2ban after adding these rules. I checked IP tables and fail2ban has added a couple IP's for other rules I have, but this one doesn't appear to be working so I'm guessing it's my regex.

Answer 1

I don't have fail2ban, so I can't really test it, but a few things stand out to me in the regular expressions...

• I assume %(__prefix_line) is a fail2ban substitution Python ConfigParser interpolation
• I assume <HOST> is another kind of substitution or placeholder that fail2ban can understand (if not then a proper regex or substitution needs to be here)

The first thing I noticed is the 's' after %(__prefix_line). That looks like it should probably be a whitespace shorthand character class rather than a literal s. Put a backslash in front of it (\s). See comments below.

The second thing I noticed is the asterisk after the bang (exclamation) on the second line. That says "zero or more ! characters". Maybe that's what was intended. Maybe not. If you remove that asterisk, then it makes more sense. If you add a dot in front, it makes sense too.

Try:

^%(__prefix_line)\sReceived disconnect from <HOST>: 11: Bye Bye \[preauth\]\s*$
^%(__prefix_line)\sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$

See comments below

If that doesn't work, then do something with the asterisk after the bang.

If that doesn't work, then confirm with the fail2ban that "<HOST>" is a proper substitution. I found <HOST> in the fail2ban docs. It looks correct.

See Also: Testing in the Fail2ban 0.8 Manual