When using "Allow/Deny Users" in sshd_config, the extra message added to syslog to indicate an invalid user, increases the maxretry failure count even though a failure hasn't yet occured. Below is the output of a connection attempt where "maxretry" is set to 6 (which I assume means 6 failures are allowed, and the 7th failure triggers the ban). The extra lines added by sshd when an invalid user *attempts* to make a connection are marked with >>>. The result is that the IP is banned on the 5th failure (rather than the 7th). >>> Mar 17 19:25:13 host sshd[3515]: Invalid user banana from 192.168.1.4 Mar 17 19:25:15 host sshd[3517]: pam_unix(sshd:auth): check pass; user unknown Mar 17 19:25:15 host sshd[3517]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.4 Mar 17 19:25:17 host sshd[3515]: error: PAM: Authentication failure for illegal user banana from 192.168.1.4 Mar 17 19:25:17 host sshd[3515]: Failed keyboard-interactive/pam for invalid user banana from 192.168.1.4 port 57394 ssh2 Mar 17 19:25:18 host sshd[3518]: pam_unix(sshd:auth): check pass; user unknown Mar 17 19:25:18 host sshd[3518]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.4 Mar 17 19:25:20 host sshd[3515]: error: PAM: Authentication failure for illegal user banana from 192.168.1.4 Mar 17 19:25:20 host sshd[3515]: Failed keyboard-interactive/pam for invalid user banana from 192.168.1.4 port 57394 ssh2 Mar 17 19:25:21 host sshd[3519]: pam_unix(sshd:auth): check pass; user unknown Mar 17 19:25:21 host sshd[3519]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.4 Mar 17 19:25:23 host sshd[3515]: error: PAM: Authentication failure for illegal user banana from 192.168.1.4 Mar 17 19:25:23 host sshd[3515]: Failed keyboard-interactive/pam for invalid user banana from 192.168.1.4 port 57394 ssh2 >>> Mar 17 19:25:24 host sshd[3520]: Invalid user banana from 192.168.1.4 Mar 17 19:25:26 host sshd[3522]: pam_unix(sshd:auth): check pass; user unknown Mar 17 19:25:26 host sshd[3522]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.4 Mar 17 19:25:28 host sshd[3520]: error: PAM: Authentication failure for illegal user banana from 192.168.1.4 Mar 17 19:25:28 host sshd[3520]: Failed keyboard-interactive/pam for invalid user banana from 192.168.1.4 port 60967 ssh2 Mar 17 19:25:29 host sshd[3523]: pam_unix(sshd:auth): check pass; user unknown Mar 17 19:25:29 host sshd[3523]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.4 Mar 17 19:25:31 host sshd[3520]: error: PAM: Authentication failure for illegal user banana from 192.168.1.4 Mar 17 19:25:31 host sshd[3520]: Failed keyboard-interactive/pam for invalid user banana from 192.168.1.4 port 60967 ssh2 Reproducible: Always Steps to Reproduce: 1. Set "DenyUsers" in /etc/ssh/sshd_config, then attempt to login with that user. 2. Set "maxretry 6" in the [ssh-iptables] section of /etc/fail2ban/jail.conf 3. Try to login as banned user
Please reopen this bug report if the problem persists in the current versions.