Your regex doesn't look like it would match. If <HOST> is substituted for your hostname that part of the regex would need to be before the unknown user part On Fri, Nov 1, 2019, 2:51 AM Maykel Franco via arch-general < arch-general@archlinux.org> wrote:
Hi, I have this rule:
jail.conf:
[app-user] enabled = true port = 443 filter = user-app logpath = /var/log/user-app.log findtime = 1200 bantime = 480 maxretry = 3
-------------------------------
filter.d:
user-app.conf
[Definition]
failregex = Unknown User .* \(<HOST>:.*\)
ignoreregex =
-------------------------------
The content is logfile test /var/log/user-app.log:
[12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
-------------------------------
And when test it, not working:
fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf
Running tests =============
Use failregex filter file : user-app, basedir: /etc/fail2ban Use log file : user-app.conf Use encoding : UTF-8
Results =======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits: |- [# of hits] date format | [6] {^LN-BEG}24hour:Minute:Second `-
Lines: 6 lines, 0 ignored, 0 matched, 6 missed [processed in 0.02 sec]
|- Missed line(s): | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
Whats wrong? Maybe the left timestamp?
Thanks in advanced.