On Tue, Nov 08, 2011 at 01:01:23PM +0100, a...@old-forest.org wrote: > On this (hopefully quite generic) system a log line looks: > Nov 8 11:19:38 bar sshd[25427]: pam_unix(sshd:auth): authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=fnord > > The time given is in UTC, localtime is UTC+1. Fail2ban seems to interpret the > time stamp as localtime and given the value of 'findtime' of 600 will never > find any logentry. > > My workaround is 'fail2ban-client set ssh findtime 4600', which is a bit ugly. > A nicer approach would be to make a time offset settable.
I also ran into this issue. A different work around is echo "export TZ=UTC" >> /etc/default/fail2ban Since it took me quite some time to notice this issue, let me propose the following extension: In processLineAndAdd you already (debug) log when a line gets ignored due to the findtime setting. I propose adding a flag to processLineAndAdd that indicates whether it was called due to a poll or during program startup. Since all polling modes either immediately notice changes or take at most 1 second, this ignoring can (in theory) never happen during polling. So I suggest to emit a warning in this case. I believe that a warning is warranted when a poller takes more than findtime seconds to report new messages. The advantage is that now fail2ban spams my log when I have misconfigured it and chances are, that I'll notice. Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
