You are not logged in.

#1 2017-08-31 02:21:28

joelk
Member
Registered: 2017-04-16
Posts: 15

strange entries in fail2ban.log

Today I noticed that my fail2ban.log is filled with entries like these, repeated every few minutes:

2017-08-30 22:08:56,033 fail2ban.filtersystemd  [5615]: HEAVY   [sshd-ddos] Read systemd journal entry: 2017-08-30T22:08:55.686969 serv1 sshd[5678]: error: maximum authentication attempts exceeded for invalid user root from 175.160.63.121 port 11328 ssh2 [preauth]
2017-08-30 22:08:56,033 fail2ban.filter         [5615]: HEAVY   Looking for match of [('', '2017-08-30T22:08:55.686969', 'serv1 sshd[5678]: error: maximum authentication attempts exceeded for invalid user root from 175.160.63.121 port 11328 ssh2 [preauth]')]
2017-08-30 22:08:56,033 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Did not receive identification string from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)\\s*$'
2017-08-30 22:08:56,034 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Connection closed by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+) \\[preauth\\]\\s*$'
2017-08-30 22:08:56,034 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Unable to negotiate with (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+): no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 \\[preauth\\]\\s*$'
2017-08-30 22:08:56,035 fail2ban.filtersystemd  [5615]: HEAVY   [sshd-ddos] Read systemd journal entry: 2017-08-30T22:08:55.687024 serv1 sshd[5678]: Disconnecting invalid user root 175.160.63.121 port 11328: Too many authentication failures [preauth]
2017-08-30 22:08:56,035 fail2ban.filter         [5615]: HEAVY   Looking for match of [('', '2017-08-30T22:08:55.687024', 'serv1 sshd[5678]: Disconnecting invalid user root 175.160.63.121 port 11328: Too many authentication failures [preauth]')]
2017-08-30 22:08:56,035 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Did not receive identification string from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)\\s*$'
2017-08-30 22:08:56,035 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Connection closed by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+) \\[preauth\\]\\s*$'
2017-08-30 22:08:56,035 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Unable to negotiate with (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+): no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 \\[preauth\\]\\s*$'
2017-08-30 22:08:56,036 fail2ban.filtersystemd  [5615]: HEAVY   [sshd] Read systemd journal entry: 2017-08-30T22:08:55.686969 serv1 sshd[5678]: error: maximum authentication attempts exceeded for invalid user root from 175.160.63.121 port 11328 ssh2 [preauth]
2017-08-30 22:08:56,036 fail2ban.filter         [5615]: HEAVY   Looking for match of [('', '2017-08-30T22:08:55.686969', 'serv1 sshd[5678]: error: maximum authentication attempts exceeded for invalid user root from 175.160.63.121 port 11328 ssh2 [preauth]')]
2017-08-30 22:08:56,036 fail2ban.filter         [5615]: HEAVY     Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2017-08-30 22:08:56,037 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,037 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,037 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^Failed \\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2017-08-30 22:08:56,037 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,037 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2017-08-30 22:08:56,037 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,037 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,038 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,038 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,038 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,038 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,038 fail2ban.filter         [5615]: HEAVY     Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2017-08-30 22:08:56,038 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,038 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,039 fail2ban.filtersystemd  [5615]: HEAVY   [sshd] Read systemd journal entry: 2017-08-30T22:08:55.687024 serv1 sshd[5678]: Disconnecting invalid user root 175.160.63.121 port 11328: Too many authentication failures [preauth]
2017-08-30 22:08:56,040 fail2ban.filter         [5615]: HEAVY   Looking for match of [('', '2017-08-30T22:08:55.687024', 'serv1 sshd[5678]: Disconnecting invalid user root 175.160.63.121 port 11328: Too many authentication failures [preauth]')]
2017-08-30 22:08:56,040 fail2ban.filter         [5615]: HEAVY     Looking for prefregex '^(?P<mlfid>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$'
2017-08-30 22:08:56,040 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,040 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,040 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^Failed \\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2017-08-30 22:08:56,040 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,041 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2017-08-30 22:08:56,041 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,041 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,041 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,041 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^refused connect from \\S+ \\((?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\)\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,041 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,041 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,041 fail2ban.filter         [5615]: HEAVY     Looking for failregex "^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)) not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2017-08-30 22:08:56,042 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=(?P<user>\\S*)\\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))\\s.*(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,042 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,042 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^User (?P<user>.+) not allowed because account is locked(?: \\[preauth\\])?\\s*'
2017-08-30 22:08:56,042 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \\[preauth\\])?\\s*'
2017-08-30 22:08:56,042 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w)): 11:'
2017-08-30 22:08:56,042 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))(?: \\[preauth\\])?\\s*$'
2017-08-30 22:08:56,042 fail2ban.filter         [5615]: HEAVY     Looking for failregex '^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))'

I've been using fail2ban for ages but I don't remember ever seeing entries like this before.  Is this a new "feature" or has something gone wrong?

Offline

#2 2017-08-31 03:30:20

joelk
Member
Registered: 2017-04-16
Posts: 15

Re: strange entries in fail2ban.log

This problem seems to be related to the upgrade to fail2ban ver 0.10 (I upgraded a couple of days ago but didn't look at the fail2ban log until today).   I downgraded to version 0.9.7-1 and it seems to be working normally again.

Maybe there's a problem with version 0.10, or maybe some configuration changes are required to get version 0.10 to work -- but I didn't find any guidance on that.

Offline

Board footer

Powered by FluxBB