[fail2ban] adding a new filter

Discussion in 'Server Operation' started by GHz, May 1, 2010.

  1. GHz

    GHz New Member

    I just installed a new php application on the servers which logs login attempts. Now I want fil2ban to ban an IP if it exceeds a specified amount of logins. So I looked up the log entry:

    [Sat May  1 17:17:23 2010][Notice][Kernel::System::Auth::DB::Auth] User: [email protected] authentication with wrong Pw!!! (REMOTE_ADDR:
    So I added a new filter like so:

    failregex = [.*][Notice][Kernel::System::Auth::DB::Auth] User: .* authentication with wrong Pw!!! (REMOTE_ADDR: <HOST>)
    ignoreregex =
    But it just doesnt ban the IP after the set amount of failed login attempts. The jail is being started when I restart fail2ban. Any ideas why this doesnt work?



    It already works! The working regex is:

    \[.*\]\[Notice\]\[Kernel::System::Auth::DB::Auth\] User: .* authentication with wrong Pw!!! \(REMOTE_ADDR: <HOST>\)
    One question though, can I specify more than one failregex'es in one filter file? Because the program I want to monitor logs different messages for unknown username/ unknown password. Or do I have to create a second jail for that?
    Last edited: May 2, 2010
  2. GHz

    GHz New Member

  3. falko

    falko Super Moderator ISPConfig Developer

    You can do it as follows (just an example):

    failregex = [[]client <HOST>[]] user .* authentication failure
                [[]client <HOST>[]] user .* not found
                [[]client <HOST>[]] user .* password mismatch
  4. GHz

    GHz New Member

    Thanks Falko, it works!

Share This Page