1) create a new filter config file ajenti-auth.conf....
Step A: Run the below command
Sudo vi /etc/fail2ban/filter.d/ajenti-auth.conf
Step B: Copy the below and paste inside the above file# Fail2Ban filter for ajenti[INCLUDES]before = common.conf
_daemon = ajenti
failregex = ^%(__prefix_line)sfailed login attempt for .* through .* from <HOST>\s*$
2) Add the jail settings to the end of the jail.local file...
sudo vi /etc/fail2ban/jail.local
Step B: Copy the below and paste inside the above file at the end[ajenti-auth]enabled = trueport = 8000filter = ajenti-authlogpath = /var/log/auth.logmaxretry = 3
3) Restart the service...Step A: Run the below command
sudo service fail2ban restart
I just attempted to test this filter with ajenti.. I don't seem to see the entries in /var/log/auth.log. Is there some config that needs to be enabled in ajenti's config.json to enable syslogging?
No nothing is added to the config.json file. The above is implemented and tested on Ubuntu 14.04 and Ajent v220.127.116.11
Here is an example of the logs from a server:
Jul 28 00:55:23 localhost ajenti: failed login attempt for root ("fail") through AjentiSyncProvider from X.X.X.XJul 28 00:55:37 localhost ajenti: user root logged in through AjentiSyncProvider from X.X.X.X
Customer support service by UserEcho