HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Fail2ban regex works but no ban (http://www.howtoforge.com/forums/showthread.php?t=62456)

sobers_2002 6th July 2013 09:21

Fail2ban regex works but no ban
 
Hi All,

I am running a Debian wheezy (raspbian) server on a raspberry pi with the latest updates in.

The issue at hand is that I am unable to get fail2ban to 'work'. The regex seems to work fine, as shown below:

Code:

:~# fail2ban-client status nginx-login
Status for the jail: nginx-login
|- filter
|  |- File list:        /var/log/*.access.log
|  |- Currently failed: 7
|  `- Total failed:    7
`- action
  |- Currently banned: 0
  |  `- IP list:
  `- Total banned:    0

and

Code:

:~# fail2ban-regex /var/log/nginx/*.access.log /etc/fail2ban/filter.d/nginx-login.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/nginx-login.conf
Use log file  : /var/log/nginx/*.access.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^<HOST> -.*POST .*login.* HTTP/1\.." 200
|
`- Number of matches:
  [1] 92 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]

--here is a long list of IP addresses (92 nos. as seen below)--

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
2130 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 92

However, look at the above section 'Running tests' which could contain important
information.

the excerpt from the fail2ban log is as below:

Code:

2013-07-06 02:20:59,662 fail2ban.filter : INFO  Set maxRetry = 3
2013-07-06 02:20:59,686 fail2ban.filter : INFO  Set findtime = 7200
2013-07-06 02:20:59,694 fail2ban.actions: INFO  Set banTime = 86400
2013-07-06 02:20:59,790 fail2ban.jail  : INFO  Creating new jail 'nginx-proxy'
2013-07-06 02:20:59,792 fail2ban.jail  : INFO  Jail 'nginx-proxy' uses Gamin
2013-07-06 02:20:59,808 fail2ban.filter : INFO  Added logfile = /var/log/nginx*
2013-07-06 02:20:59,881 fail2ban.filter : INFO  Set maxRetry = 3
2013-07-06 02:20:59,905 fail2ban.filter : INFO  Set findtime = 7200
2013-07-06 02:20:59,913 fail2ban.actions: INFO  Set banTime = 86400
2013-07-06 02:21:00,018 fail2ban.jail  : INFO  Jail 'ssh' started
2013-07-06 02:21:00,133 fail2ban.jail  : INFO  Jail 'nginx-auth' started
2013-07-06 02:21:00,244 fail2ban.jail  : INFO  Jail 'nginx-login' started
2013-07-06 02:21:00,463 fail2ban.jail  : INFO  Jail 'nginx-badbots' started
2013-07-06 02:21:00,663 fail2ban.jail  : INFO  Jail 'nginx-noscript' started
2013-07-06 02:21:01,013 fail2ban.jail  : INFO  Jail 'nginx-proxy' started

The important regex (nginx-login) in question above is to prevent automated login attempts to wordpress.

I can't ever see any ban happening here in this log file. For reference, I am running a read only root system.


All times are GMT +2. The time now is 00:16.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.