What is 'Found' in Fail2Ban Log File?
The Found xxx.xxx.xxx.xxx message means, that the fail2ban filter found a line that matches failregex in the given filter/jail logfile.
For example if the log shows
2016-03-16 15:35:51,527 fail2ban.filter [1986]: INFO [sshd] Found 1.2.3.4
2016-03-16 15:35:51,817 fail2ban.filter [1986]: INFO [sshd] Found 1.2.3.4
2016-03-16 15:35:52,537 fail2ban.actions [1986]: NOTICE [sshd] Ban 1.2.3.4
The two first Found mean, that IP address 1.2.3.4 was found 2 times in the given sshd log (e.g. /var/log/auth.log) and that the entry in the logfile matches failregexin the filter /etc/fail2ban/filter.d/sshd.conf
As I have configured to ban after 2 failed ssh-attemtps, the 3rd line shows, that IP 1.2.3.4 has been banned after those 2 found occurrences.
How I found out about this:
In the python sources of fail2ban (in Debian this is in /usr/lib/python3/dist-packages/fail2ban/) do this:
cd /usr/lib/python3/dist-packages/fail2ban/
grep -r "\[%s\] Found" *
In the python file "server/filter.py" on line 937 you find the corresponding log function:
def processLineAndAdd(self, line, date=None):
[..]
logSys.info("[%s] Found %s" % (self.jail.name, ip))
[..]
Related videos on Youtube
08 : 01
27 : 45
24 : 23
11 : 52
40 : 53
09 : 43
nmax
I'm an instructor at Palm Beach Atlantic University, in a field unrelated to technology. But over the years I've worked in various tech jobs, most recently serving as an instructional designer for online courses at PBA. With lots to do and little time to do it, I have found PHP, jQuery and HTML/CSS great tools for building and maintaining larger sets of instructional content.
Updated on September 18, 2022Comments
-
nmax over 1 year
I have multiple instances like the following in /var/log/fail2ban.log:
2015-12-27 14:31:21,949 fail2ban.filter [1020]: INFO [sshd] Found ###.###.###.###(Where # substitutes for a diversity of IP addresses.)
What exactly is the meaning of this log entry? Particularly, what does
Founddenote?I searched here and http://www.fail2ban.org for an explanation of the log file. If I've missed an obvious information source for this question, my apologies - please point me in the right direction.
Here is the config for FailRegex in /etc/fail2ban/filter.d/sshd.config:
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(,$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Co$ ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authe$ ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST$-
Frank Thomas over 8 yearsin filter.d/sshd.conf, what is your FailRegex? fail2ban.org/wiki/index.php/MANUAL_0_8#Filters
-
nmax over 8 years(Added the FailRegex to the original post.)
-
cybernard over 8 yearsssh is the hackers favorite first choice, according to my logs 10 to 1. It is likely one of these connecting to your system. I have over 10,000+ ip just for ssh.
-
Frank Thomas over 8 yearsdo any of the other regex patterns in the filter.d/sshd.conf contain the word 'Found'?
-
nmax over 8 yearsCuriously, the string 'Found' does not appear in sshd.conf or any file within /etc/fail2ban. @cybernard I definitely agree; the problem is that fail2ban is already banning ssh attempts, and password-based ssh is disabled on the system (key-based ssh only).
-
minni about 8 yearsThe "Found xxx.xxx.xxx.xxx" message means, that the fail2ban filter found a line that matches failregex in the given filter/jail logfile.
-
-
nmax about 5 yearsI know it's been a long time since this reply was posted, but I just came back to it again. It's such a lucid, complete response - thanks.
