This isn't much of a problem, but I think it might make things easier on users trying to get this to work. fail2ban isn't setup to read syslog-ng's format sshd logging. I don't know if these changes should be the default or not, I guess that's up to you guys. It would still be a nice to include this regex commented out. Based upon the logging documentation for syslog-ng: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=3#doc_chap4 In /etc/fail2ban.conf: change logfile = /var/log/secure to /var/log/auth.log then change: failregex = Authentication failure|Failed password|Invalid user to: failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: illegal user)?|Illegal user|Did not receive identification) .* from (?P<host>\S*) Got the regex from: http://www.the-art-of-web.com/system/fail2ban/#section_3 It might make sense to leave out the modification for the log file as this is relatively simple for the user to figure out. In case they might not have followed the gentoo documentation for syslog-ng.
Created attachment 92356 [details, diff] A patch for the config changes
Looks good. Have you talked to upstream about it?
Hi, There is one problem... The failregex option does not support group in the official release. This is an addition from the Debian maintainer which was not apply upstream. I have almost completly rewrite Fail2ban and mainly work on the development branch. The group support in regex will be supported and a cleaner way to handle different syslog daemons, services and firewalls is already there. You can try the Subversion repository but there is still some work to be done. And documentation too. http://svn.sourceforge.net/viewvc/fail2ban/
The proposed "failregex" is the default in 0.7.2 (which is available in Portage now). Log path depends on the user logging daemon. Is there any standard one in Gentoo? I personnaly use metalog.
no standard in gentoo. I'm closing this as 0.7.2 is in portage and there is no default logger in gentoo.
