Fix fail2ban in Ubuntu 10.04

Posted Wed Jan 04 @ 10:29:24 AM PDT 2012

I installed fail2ban on my Ubuntu server, and after testing it, I determined that it wasn't actually banning anyone who tried to brute force an SSH password.

The problem is that /var/log/auth.log compresses duplicate messages. Here is a sample from my auth.log

Jan 2 13:54:27 delta sshd[16882]: Failed password for root from 175.210.205.169 port 4303 ssh2 Jan 2 13:54:35 delta sshd[16882]: last message repeated 3 times

Notice the "repeated 3 times" part. Fail2ban isn't capable of parsing that (at least Fail2Ban v0.8.4).

To fix the problem, you need to edit /etc/rsyslog.conf and set "$RepeatedMsgReduction" to "off". That will make auth.log explicitly log the whole message again, so fail2ban can parse it.

You also need to restart the rsyslog process:

service rsyslog restart

for the change to take effect.

<< Home