Are you are using central syslog with your fail2ban?
Are you getting some host hits blocked while others are not ( - for ssh attacks)?
There is a patch to fix it (if it is line ending related):
The filter in /etc/fail2ban/filter.d/sshd.conf needs to have \s* added to eat up the extra white space:
That should eat up the extra white space after the "interesting" bits of the log message.
Thanks Yaroslav Halchenko for that fix!
It would seem that at least Slackware has some extra spaces before the end of the line in a syslog message for sshd auth log messages
Another thing I found while debugging is differences with rsyslog:
Thanks Jeff from kkoncepts.net!
Here is the poop (in case the link above goes away:
If you get duplicated host names in the remote syslog messages, you can define a new rsyslog format and use it for the remote host In /etc/rsyslogd.conf, add this: $template sysklogd,"<%PRI%>%TIMESTAMP% %syslogtag%%msg%" In /etc/rsyslog.d/50-default.conf - change your remote line to use this new format (or rules section of rsyslogd.conf if you put it there): *.* @x.x.x.x;sysklogd Then restart rsyslog
For the central server (if running rsyslog), edit /etc/rsyslog.conf and uncomment the lines:
# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") - or - for tcp: # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") --- older versions --- # provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 Then restart rsyslog
Yet another thing to tweak when running central syslog:
Say you have a provider that does not wan't to set up your reverse dns correctly.
You can do it yourself on the syslog host.
Here is how:
install dnsmasq add a file with your reverse mappings: (say /etc/dnsmasq-hosts) x.x.x.x hostname.domain hostname x.x.x.y hostname2.domain hostname2 Then add this line to dnsmasq: addn-hosts=/etc/dnsmasq-hosts Then add nameserver 127.0.0.1 to the top of /etc/resolv.conf to use the dnsmasq resover first - and allow you to get pretty names for hosts. Allows clean scabbing in of hostnames where you can't get the provider to do the right thing and not dirty up your /etc/hosts. This helps out epylog logging as well if parsing the hostname without the domain parts.