Re: [arch-general] Archlinux fail2ban not working

Your regex doesn't look like it would match. If <HOST> is substituted for your hostname that part of the regex would need to be before the unknown user part On Fri, Nov 1, 2019, 2:51 AM Maykel Franco via arch-general < arch-general@archlinux.org> wrote:

Hi, I have this rule:

jail.conf:

[app-user] enabled = true port = 443 filter = user-app logpath = /var/log/user-app.log findtime = 1200 bantime = 480 maxretry = 3

-------------------------------

filter.d:

user-app.conf

[Definition]

failregex = Unknown User .* \(<HOST>:.*\)

ignoreregex =

-------------------------------

The content is logfile test /var/log/user-app.log:

[12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)

-------------------------------

And when test it, not working:

fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf

Running tests =============

Use failregex filter file : user-app, basedir: /etc/fail2ban Use log file : user-app.conf Use encoding : UTF-8

Results =======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits: |- [# of hits] date format | [6] {^LN-BEG}24hour:Minute:Second `-

Lines: 6 lines, 0 ignored, 0 matched, 6 missed [processed in 0.02 sec]

|- Missed line(s): | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)

Whats wrong? Maybe the left timestamp?

Thanks in advanced.