Eu recentemente instalei 2 novos servidores com o Centos 7. Eu habilitei o fail2ban com os padrões. Eu assegurei que está sendo executado como ps -ax | grep fail2ban yields:
1996 ? S 0:04 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x
Mas meus registros noturnos são assim:
sshd:
Authentication Failures:
root (60.173.26.165): 1070 Time(s)
root (122.225.109.208): 515 Time(s)
root (193.106.4.48): 391 Time(s)
root (122.225.109.104): 297 Time(s)
root (122.225.109.213): 286 Time(s)
root (122.225.109.219): 248 Time(s)
root (122.225.109.199): 220 Time(s)
root (113.200.114.230): 199 Time(s)
unknown (122.225.109.208): 140 Time(s)
root (122.225.109.204): 133 Time(s)
root (122.225.97.73): 131 Time(s)
root (122.225.97.70): 119 Time(s)
root (122.225.109.196): 99 Time(s)
root (61.174.50.134): 87 Time(s)
unknown (122.225.109.213): 67 Time(s)
root (122.225.97.98): 66 Time(s)
root (61.174.51.222): 65 Time(s)
unknown (122.225.109.104): 65 Time(s)
root (122.225.109.203): 64 Time(s)
unknown (122.225.109.199): 57 Time(s)
unknown (122.225.109.204): 18 Time(s)
unknown (122.225.109.196): 16 Time(s)
root (61.234.104.167): 8 Time(s)
root (80.191.81.53): 1 Time(s)
unknown (113.200.114.230): 1 Time(s)
unknown (122.225.109.219): 1 Time(s)
unknown (193.106.4.48): 1 Time(s)
unknown (91.220.131.33): 1 Time(s)
Quando eu usei o denyhosts, eu vi mais de 2 ou 3 tentativas, então o IP foi banido. Esse resultado me diz que o fail2ban não está configurado corretamente?
EDIT (sugerido por sebix)
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/sshd.conf
Use maxlines : 10
Use single line : /var/log/auth.log
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
|- Missed line(s):
| /var/log/auth.log
Tags fail2ban