fail2ban's regex for "POSSIBLE BREAK-IN ATTEMPT" isn't quite matching sshd's output. I know that it's incorrect for openssh at least 5.1. I assume the message changed somewhere prior to 5.1. fail2ban's regex is "Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT" And sshd says "reverse mapping checking getaddrinfo for <hostname> [<ip>] failed - POSSIBLE BREAK-IN ATTEMPT!" I don't think upstream has hit this yet, but Debian has encountered it (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512193) and the fix is in their bugtracker. I'll attach their fix here as well. Reproducible: Always Steps to Reproduce: 1. run fail2ban >= 0.8.2 and openssh >= 5.1 2. Make sshd emit a "POSSIBLE BREAK-IN ATTEMPT!" message Actual Results: fail2ban fails to ban the offending host. :-) Expected Results: fail2ban should ban the host causing sshd to emit above messages.
Created attachment 183217 [details, diff] Fix sshd.conf regex
Reassigning to netmon herd.
0.8.3 is no longer on tree
Still relevant for 0.8.4.
+*fail2ban-0.8.4-r1 (05 Nov 2010) + + 05 Nov 2010; Markos Chandras <hwoarang@gentoo.org> + +files/fail2ban-0.8.4-hashlib.patch, files/fail2ban-logrotate, + +fail2ban-0.8.4-r1.ebuild, +files/fail2ban-0.8.4-sshd-breakin.patch: + Bugfix revision. Fixes bug 260337,283629,301139,315073,343955. Thanks to + Robert Trace <bugzilla-gentoo@farcaster.org>, Harley Peters + <harley@thepetersclan.com> for the patches. +