Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [root@ip22 fail2ban]# fail2ban-client -d
- ['set', 'syslogsocket', 'auto']
- ['set', 'loglevel', 'DEBUG']
- ['set', 'logtarget', '/var/log/fail2ban.log']
- ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
- ['set', 'dbpurgeage', 86400]
- ['add', 'sshd', 'auto']
- ['set', 'sshd', 'usedns', 'warn']
- ['set', 'sshd', 'addlogpath', '/var/log/secure', 'head']
- ['set', 'sshd', 'maxretry', 5]
- ['set', 'sshd', 'addignoreip', '65.182.164.0/23']
- ['set', 'sshd', 'logencoding', 'auto']
- ['set', 'sshd', 'bantime', 2592000]
- ['set', 'sshd', 'ignorecommand', '']
- ['set', 'sshd', 'findtime', 2592000]
- ['set', 'sshd', 'maxlines', '10']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \\S+)?\\s*$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Failed \\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \\d+)?(?: ssh\\d*)?(?(cond_user):|(?:(?:(?! from ).)*)$)']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \\d+)?\\s*$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?User .+ from <HOST> not allowed because not listed in AllowUsers\\s*$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?User .+ from <HOST> not allowed because listed in DenyUsers\\s*$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?User .+ from <HOST> not allowed because not in any group\\s*$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?refused connect from \\S+ \\(<HOST>\\)\\s*$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail(?: \\[preauth\\])?$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*$']
- ['set', 'sshd', 'addfailregex', "^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"]
- ['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \\[preauth\\]$']
- ['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)Disconnecting: Too many authentication failures for .+? \\[preauth\\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \\[preauth\\]$']
- ['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)Connection from <HOST> port \\d+(?: on \\S+ port \\d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \\[preauth\\]$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)? \\[preauth\\]$']
- ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=\\S*\\s*rhost=<HOST>\\s.*$']
- ['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
- ['set', 'sshd', 'addaction', 'apf']
- ['set', 'sshd', 'action', 'apf', 'actionban', '/usr/local/sbin/apf --deny <ip> "banned by Fail2Ban <name>"']
- ['set', 'sshd', 'action', 'apf', 'actionstop', '']
- ['set', 'sshd', 'action', 'apf', 'actionstart', '']
- ['set', 'sshd', 'action', 'apf', 'actionunban', '/usr/local/sbin/apf --remove <ip>']
- ['set', 'sshd', 'action', 'apf', 'actioncheck', '']
- ['set', 'sshd', 'action', 'apf', 'known/name', 'default']
- ['set', 'sshd', 'action', 'apf', 'protocol', 'tcp']
- ['set', 'sshd', 'action', 'apf', 'name', 'sshd']
- ['set', 'sshd', 'addaction', 'sendmail-whois-lines']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep -E <grepopts> \'(^|[^0-9])<ip>([^0-9]|$)\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'actionunban', '']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'actioncheck', '']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/known/sendername', 'Fail2Ban']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/grepopts', '-m 1000']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'sender', 'admin@ics-il.net']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/sender', 'admin@ics-il.net']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'dest', 'admin@ics-il.net']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/known/dest', 'admin@ics-il.net']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/__name__', 'Init']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'logpath', '/var/log/secure']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/dest', 'admin@ics-il.net']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/known/sender', 'admin@ics-il.net']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'grepopts', '-m 1000']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/name', 'default']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/logpath', '/dev/null']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/sendername', 'Fail2Ban']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/known/__name__', 'Init']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'sendername', 'Fail2Ban']
- ['set', 'sshd', 'action', 'sendmail-whois-lines', 'name', 'sshd']
- ['start', 'sshd']
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement