I use AllowUsers extensively on private boxes as well and had no problem banning bad IPs. Usually entries you've mentioned do not go alone:
Feb 1 20:41:15 washoe sshd[21462]: User root from 140.128.101.173 not allowed
because not listed in AllowUsers
Feb 1 20:41:15 washoe sshd[21462]: (pam_unix) authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=140.128.101.173 user=root
Feb 1 20:41:17 washoe sshd[21462]: Failed password for invalid user root from
140.128.101.173 port 34965 ssh2
The last one is is caught by fail2ban's failregex.
Please confirm that it is different in your case.
The reason why I would prefer to don't include specific regex for
"User...not allowed" is that it will increase false positives: if I mix
up a login name once - it will cause 2 entries to increment the counter
for my IP...
Please have a look at your /var/log/auth.log if you have similar pattern
as mine. If so I would like to close the bug, if you have only
'User..not allowed', then we will continue resolving the "bug" :-)
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
pgpHSUCZSR5DH.pgp
Description: PGP signature
