Regex jail filter fail2ban

mo7889 Messages postés 2 Date d'inscription Statut Membre Dernière intervention -
mamiemando Messages postés 33781 Date d'inscription Statut Modérateur Dernière intervention - 25 sept. 2025 à 16:21

Bonjour,

Je ne suis pas doué en regex, le filtre de ma jail sshd qui s'occupe de bannir en cas d'échec d'authethification ne fonctionne pas sous proxmox 9 via lecture de /var/log/auth.log.

Le fichier log est alimenté, extrait représentatif :

2025-09-24T18:02:52.816311+02:00 laMachine unix_chkpwd[920752]: password check failed for user (root)
2025-09-24T18:02:52.816592+02:00 laMachine sshd-session[920748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.68  user=root
2025-09-24T18:02:54.922311+02:00 laMachine sshd-session[920748]: Failed password for root from 192.168.0.68 port 54318 ssh2
2025-09-24T18:02:55.960582+02:00 laMachine unix_chkpwd[920772]: password check failed for user (root)
2025-09-24T18:02:57.580680+02:00 laMachine sshd-session[920748]: Failed password for root from 192.168.0.68 port 54318 ssh2
2025-09-24T18:02:59.134653+02:00 laMachine unix_chkpwd[920786]: password check failed for user (root)
2025-09-24T18:03:01.245359+02:00 laMachine sshd-session[920748]: Failed password for root from 192.168.0.68 port 54318 ssh2
2025-09-24T18:03:02.526282+02:00 laMachine unix_chkpwd[920789]: password check failed for user (root)
2025-09-24T18:03:04.514927+02:00 laMachine sshd-session[920748]: Failed password for root from 192.168.0.68 port 54318 ssh2
2025-09-24T18:03:06.398825+02:00 laMachine unix_chkpwd[920811]: password check failed for user (root)
2025-09-24T18:03:08.129298+02:00 laMachine sshd-session[920748]: Failed password for root from 192.168.0.68 port 54318 ssh2
2025-09-24T18:03:09.393626+02:00 laMachine unix_chkpwd[920825]: password check failed for user (root)
2025-09-24T18:03:11.892259+02:00 laMachine sshd-session[920748]: Failed password for root from 192.168.0.68 port 54318 ssh2
2025-09-24T18:03:13.885579+02:00 laMachine sshd-session[920748]: error: maximum authentication attempts exceeded for root from 192.168.0.68 port 54318 ssh2 [preauth]
2025-09-24T18:03:13.885677+02:00 laMachine sshd-session[920748]: Disconnecting authenticating user root 192.168.0.68 port 54318: Too many authentication failures [preauth]
2025-09-24T18:03:13.885893+02:00 laMachine sshd-session[920748]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.68  user=root
2025-09-24T18:03:13.885930+02:00 laMachine sshd-session[920748]: PAM service(sshd) ignoring max retries; 6 > 3
2025-09-24T18:04:13.088278+02:00 laMachine login: pam_unix(login:session): session opened for user root(uid=0) by root(uid=0)
2025-09-24T18:04:13.093733+02:00 laMachine systemd-logind[898]: New session 249 of user root.
2025-09-24T18:04:13.104875+02:00 laMachine login: ROOT LOGIN ON pts/1

Filtre utilisé :

# /etc/fail2ban/filter.d/sshd.conf

[Definition]

datepattern = ^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+\-]\d{2}:?\d{2}))
failregex = ^${datepattern}\s+\S+\s+(?:sshd(?:-session)?\[\d+\]:\s)?Failed password for (?:invalid user )?.+ from <HOST>(?: port \d+ ssh(?:2|3)?)?$
            ^${datepattern}\s+\S+\s+(?:sshd(?:-session)?\[\d+\]:\s)?error: maximum authentication attempts exceeded for .+ from <HOST> port \d+ ssh(?:2|3)?\[preauth\]$
            ^${datepattern}\s+\S+\s+(?:sshd(?:-session)?\[\d+\]:\s)?pam_unix\(sshd:auth\): authentication failure;.*rhost=<HOST>.*$

#ignoreregex =

Le filtre ne fonctionne pas :

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use      filter file : sshd, basedir: /etc/fail2ban
Use      datepattern : ^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+\-]\d{2}:?\d{2})) : ^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+\-]\d{2}:?\d{2}))
Use         log file : /var/log/auth.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1344] ^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+\-]\d{2}:?\d{2}))
`-

Lines: 1344 lines, 0 ignored, 0 matched, 1344 missed
[processed in 0.03 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 1344 lines

Afficher la suite

A voir également:

Regex jail filter fail2ban
Photo filter 7 - Télécharger - Retouche d'image
Microsoft windows search filter host - Forum Windows 8 / 8.1
Microsoft Windows Search Protocol Host - Forum Windows
Keyboard filter 01 - Forum Clavier
Echec de filter imprimante - Forum Imprimante

1 réponse

Réponse 1 / 1

mo7889 Messages postés 2 Date d'inscription Statut Membre Dernière intervention

j'ai corrige mes regex, le filtre fonctionne et le ban aussi maintenant

mamiemando Messages postés 33781 Date d'inscription Statut Modérateur Dernière intervention 7 884

Merci, n'hésite pas à reporter en fin de discussion la solution à laquelle tu as abouti, cela pourrait aider les internautes qui tomberaient sur ce fil de discussion, puis de basculer le sujet en résolu.

Discussions similaires

processus searchfilterhost

regex "ne commence pas par XX"

Logiciels inutiles

windows search

Arrêt Microsoft Windows Search Protocol Host

Votre réponse

Discussions similaires