Fail2ban regex works but no ban

Discussion in 'Installation/Configuration' started by sobers_2002, Jul 6, 2013.

  1. sobers_2002

    sobers_2002 New Member

    Hi All,

    I am running a Debian wheezy (raspbian) server on a raspberry pi with the latest updates in.

    The issue at hand is that I am unable to get fail2ban to 'work'. The regex seems to work fine, as shown below:

    Code:
    :~# fail2ban-client status nginx-login
    Status for the jail: nginx-login
    |- filter
    |  |- File list:        /var/log/*.access.log 
    |  |- Currently failed: 7
    |  `- Total failed:     7
    `- action
       |- Currently banned: 0
       |  `- IP list:
       `- Total banned:     0
    
    and

    Code:
    :~# fail2ban-regex /var/log/nginx/*.access.log /etc/fail2ban/filter.d/nginx-login.conf
    
    Running tests
    =============
    
    Use regex file : /etc/fail2ban/filter.d/nginx-login.conf
    Use log file   : /var/log/nginx/*.access.log
    
    
    Results
    =======
    
    Failregex
    |- Regular expressions:
    |  [1] ^<HOST> -.*POST .*login.* HTTP/1\.." 200
    |
    `- Number of matches:
       [1] 92 match(es)
    
    Ignoreregex
    |- Regular expressions:
    |
    `- Number of matches:
    
    Summary
    =======
    
    Addresses found:
    [1]
    
    --here is a long list of IP addresses (92 nos. as seen below)--
    
    Date template hits:
    0 hit(s): MONTH Day Hour:Minute:Second
    0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
    0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
    0 hit(s): Year/Month/Day Hour:Minute:Second
    0 hit(s): Day/Month/Year Hour:Minute:Second
    0 hit(s): Day/Month/Year Hour:Minute:Second
    2130 hit(s): Day/MONTH/Year:Hour:Minute:Second
    0 hit(s): Month/Day/Year:Hour:Minute:Second
    0 hit(s): Year-Month-Day Hour:Minute:Second
    0 hit(s): Year.Month.Day Hour:Minute:Second
    0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
    0 hit(s): Day-Month-Year Hour:Minute:Second
    0 hit(s): TAI64N
    0 hit(s): Epoch
    0 hit(s): ISO 8601
    0 hit(s): Hour:Minute:Second
    0 hit(s): <Month/Day/Year@Hour:Minute:Second>
    
    Success, the total number of match is 92
    
    However, look at the above section 'Running tests' which could contain important
    information.
    
    the excerpt from the fail2ban log is as below:

    Code:
    2013-07-06 02:20:59,662 fail2ban.filter : INFO   Set maxRetry = 3
    2013-07-06 02:20:59,686 fail2ban.filter : INFO   Set findtime = 7200
    2013-07-06 02:20:59,694 fail2ban.actions: INFO   Set banTime = 86400
    2013-07-06 02:20:59,790 fail2ban.jail   : INFO   Creating new jail 'nginx-proxy'
    2013-07-06 02:20:59,792 fail2ban.jail   : INFO   Jail 'nginx-proxy' uses Gamin
    2013-07-06 02:20:59,808 fail2ban.filter : INFO   Added logfile = /var/log/nginx*
    2013-07-06 02:20:59,881 fail2ban.filter : INFO   Set maxRetry = 3
    2013-07-06 02:20:59,905 fail2ban.filter : INFO   Set findtime = 7200
    2013-07-06 02:20:59,913 fail2ban.actions: INFO   Set banTime = 86400
    2013-07-06 02:21:00,018 fail2ban.jail   : INFO   Jail 'ssh' started
    2013-07-06 02:21:00,133 fail2ban.jail   : INFO   Jail 'nginx-auth' started
    2013-07-06 02:21:00,244 fail2ban.jail   : INFO   Jail 'nginx-login' started
    2013-07-06 02:21:00,463 fail2ban.jail   : INFO   Jail 'nginx-badbots' started
    2013-07-06 02:21:00,663 fail2ban.jail   : INFO   Jail 'nginx-noscript' started
    2013-07-06 02:21:01,013 fail2ban.jail   : INFO   Jail 'nginx-proxy' started
    
    The important regex (nginx-login) in question above is to prevent automated login attempts to wordpress.

    I can't ever see any ban happening here in this log file. For reference, I am running a read only root system.
     

Share This Page