View Single Post
  #1  
Old 6th July 2013, 10:21
sobers_2002 sobers_2002 is offline
Junior Member
 
Join Date: Jul 2013
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2ban regex works but no ban

Hi All,

I am running a Debian wheezy (raspbian) server on a raspberry pi with the latest updates in.

The issue at hand is that I am unable to get fail2ban to 'work'. The regex seems to work fine, as shown below:

Code:
:~# fail2ban-client status nginx-login
Status for the jail: nginx-login
|- filter
|  |- File list:        /var/log/*.access.log 
|  |- Currently failed: 7
|  `- Total failed:     7
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0
and

Code:
:~# fail2ban-regex /var/log/nginx/*.access.log /etc/fail2ban/filter.d/nginx-login.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/nginx-login.conf
Use log file   : /var/log/nginx/*.access.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^<HOST> -.*POST .*login.* HTTP/1\.." 200
|
`- Number of matches:
   [1] 92 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]

--here is a long list of IP addresses (92 nos. as seen below)--

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
2130 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 92

However, look at the above section 'Running tests' which could contain important
information.
the excerpt from the fail2ban log is as below:

Code:
2013-07-06 02:20:59,662 fail2ban.filter : INFO   Set maxRetry = 3
2013-07-06 02:20:59,686 fail2ban.filter : INFO   Set findtime = 7200
2013-07-06 02:20:59,694 fail2ban.actions: INFO   Set banTime = 86400
2013-07-06 02:20:59,790 fail2ban.jail   : INFO   Creating new jail 'nginx-proxy'
2013-07-06 02:20:59,792 fail2ban.jail   : INFO   Jail 'nginx-proxy' uses Gamin
2013-07-06 02:20:59,808 fail2ban.filter : INFO   Added logfile = /var/log/nginx*
2013-07-06 02:20:59,881 fail2ban.filter : INFO   Set maxRetry = 3
2013-07-06 02:20:59,905 fail2ban.filter : INFO   Set findtime = 7200
2013-07-06 02:20:59,913 fail2ban.actions: INFO   Set banTime = 86400
2013-07-06 02:21:00,018 fail2ban.jail   : INFO   Jail 'ssh' started
2013-07-06 02:21:00,133 fail2ban.jail   : INFO   Jail 'nginx-auth' started
2013-07-06 02:21:00,244 fail2ban.jail   : INFO   Jail 'nginx-login' started
2013-07-06 02:21:00,463 fail2ban.jail   : INFO   Jail 'nginx-badbots' started
2013-07-06 02:21:00,663 fail2ban.jail   : INFO   Jail 'nginx-noscript' started
2013-07-06 02:21:01,013 fail2ban.jail   : INFO   Jail 'nginx-proxy' started
The important regex (nginx-login) in question above is to prevent automated login attempts to wordpress.

I can't ever see any ban happening here in this log file. For reference, I am running a read only root system.
Reply With Quote
Sponsored Links