keeping the barbaians out

I have been having a problem getting fail2ban to read my log file so it can block unauthorized ssh attempts due to the log format.

Jul 31 03:29:45 deb-pogo auth.info sshd[2753]: Did not receive identification string from 163.172.198.246
Jul 31 03:29:45 deb-pogo auth.info sshd[2754]: reverse mapping checking getaddrinfo for 163-172-198-246.rev.poneytelecom.eu [163.172.198.246] fai$
Jul 31 03:29:45 deb-pogo auth.info sshd[2754]: Invalid user admin from 163.172.198.246
Jul 31 03:29:45 deb-pogo auth.info sshd[2754]: input_userauth_request: invalid user admin [preauth]
Jul 31 03:29:46 deb-pogo authpriv.warn sshd[2754]: pam_unix(sshd:auth): check pass; user unknown
Jul 31 03:29:46 deb-pogo authpriv.notice sshd[2754]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.$
Jul 31 03:29:48 deb-pogo auth.info sshd[2754]: Failed password for invalid user admin from 163.172.198.246 port 62295 ssh2
Jul 31 03:29:48 deb-pogo auth.info sshd[2754]: Received disconnect from 163.172.198.246: 11: Closed due to user request. [preauth]

It has a problem with auth.info, authpriv.notice and authpriv.warn to be specific. I have not had any luck with modifying the "_prefix_line" variable in common.conf nor the regex in sshd.conf in the fail2ban/filter.d directory to deal with these additional strings.

Does anyone else have fail2ban working properly or do you use something else to keep the barbarians from the door.

To keep automated bots from spamming my logs I usually keep SSH and other services (if applicable) on arbitrarily high ports.

Like say SSH isn't on port 22, but for example on port 2423242 (random number by mashing keys).

This requires me to specify the port manually when connecting to the server, but it is easy and I have the ports written down so I don't forget them. http://www.cyberciti.biz/tips/setup-ssh-to-run-on-a-non-standard-port.html

Bots rarely if ever try non-standard ports, as trying thousands of ports per host would murder their performance by A LOT.

Well I have not been able to get fail2ban nor sshguard to work with the log files to block failed access attempts. I have made several attempts at modifying the regex for fail2ban and even checked it against a web regex checker that works but fail2ban still will not block the attempts with the added auth* string in the log files.

What I have done is made some new iptable rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 604800 hit_count: 4 name: DEFAULT side: source mask: 255.255.255.255
tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255

It seems to be working so far or by coincidence the attackers have quit after 3 attempts.

I would still like to figure out how to get fail2ban to work as it does a nice job on my laptop when I had it accessible from the Internet. I will update if I figure it out.