SSH Fail2ban jail does not read /var/log/secure

Created:

2016-12-30 22:08:21 UTC

Modified:

2017-08-08 13:28:32 UTC

1

Was this article helpful?


Have more questions?

Submit a request

SSH Fail2ban jail does not read /var/log/secure

Applicable to:

  • Plesk Onyx for Linux

Symptoms

  • Fail2ban does not ban IP address after many SSH authorization attempts. Failed login attempts are correctly written to /var/log/secure but Fail2ban does not parse them to /var/log/fail2ban.log
  • SSH is configured to use password-based authentication, not key-based.
  • Every new failed login attempt logs into /var/log/secure in different time then the actual system time:
    # tail -1  /var/log/secure
    Jan  1 16:51:40 sshd[16856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10  user=root
    # date
    Sun Jan  1 18:51:43 SAST 2017

Cause

Hanged rsyslog process.

Resolution

Restart rsyslog process:

# systemctl restart rsyslog.service

After that logs should be written to /var/log/secure in the actual system time:

# tail -2  /var/log/secure
Jan  1 16:54:19 sshd[16928]: PAM service(sshd) ignoring max retries; 6 > 3
Jan  1 18:54:24 sshd[16940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10  user=root
Have more questions? Submit a request
Please sign in to leave a comment.