secure under rhost

Asked May 27 '16 at 12:49

Active May 27 '16 at 14:01

Viewed 483 times

I'm trying to get Fail2Ban to block failed sudo -i commands, but the IP is not showing up in the logs. For example when I log into the server with:

ssh -i ~/.ssh/id_rsa USER@1.2.3.4

I then use:

sudo -i

to get to root. When I check the log I then find this in /var/log/secure:

May 26 06:42:35 HOSTNAME sudo: pam_unix(sudo-i:auth): authentication failure; logname=USER uid=1320 euid=0 tty=/dev/pts/1 ruser=USER rhost=  user=USER

As you can see there is no IP next to:

rhost=

I'm pretty sure if the IP was there it should be triggering this Fail2Ban rule in /etc/fail2ban/filter.d/sshd.conf:

^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

Any insights on this would be greatly appreciated.

edited May 27 '16 at 14:01

chicks

3,639
10
26
36

asked May 27 '16 at 12:49

thatguy

what is your linux distribution? – stambata May 27 '16 at 13:29
cat /etc/redhat-release Scientific Linux release 7.2 (Nitrogen) – thatguy May 27 '16 at 13:55

IP not showing in /var/log/secure under rhost

0 Answers0