[arch-general] Archlinux fail2ban not working
Hi, I have this rule: jail.conf: [app-user] enabled = true port = 443 filter = user-app logpath = /var/log/user-app.log findtime = 1200 bantime = 480 maxretry = 3 ------------------------------- filter.d: user-app.conf [Definition] failregex = Unknown User .* \(<HOST>:.*\) ignoreregex = ------------------------------- The content is logfile test /var/log/user-app.log: [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) ------------------------------- And when test it, not working: fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf Running tests ============= Use failregex filter file : user-app, basedir: /etc/fail2ban Use log file : user-app.conf Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [6] {^LN-BEG}24hour:Minute:Second `- Lines: 6 lines, 0 ignored, 0 matched, 6 missed [processed in 0.02 sec] |- Missed line(s): | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) Whats wrong? Maybe the left timestamp? Thanks in advanced.
Your regex doesn't look like it would match. If <HOST> is substituted for your hostname that part of the regex would need to be before the unknown user part On Fri, Nov 1, 2019, 2:51 AM Maykel Franco via arch-general < arch-general@archlinux.org> wrote:
Hi, I have this rule:
jail.conf:
[app-user] enabled = true port = 443 filter = user-app logpath = /var/log/user-app.log findtime = 1200 bantime = 480 maxretry = 3
-------------------------------
filter.d:
user-app.conf
[Definition]
failregex = Unknown User .* \(<HOST>:.*\)
ignoreregex =
-------------------------------
The content is logfile test /var/log/user-app.log:
[12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
-------------------------------
And when test it, not working:
fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf
Running tests =============
Use failregex filter file : user-app, basedir: /etc/fail2ban Use log file : user-app.conf Use encoding : UTF-8
Results =======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits: |- [# of hits] date format | [6] {^LN-BEG}24hour:Minute:Second `-
Lines: 6 lines, 0 ignored, 0 matched, 6 missed [processed in 0.02 sec]
|- Missed line(s): | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
Whats wrong? Maybe the left timestamp?
Thanks in advanced.
El vie., 1 nov. 2019 17:32, Justin Capella via arch-general < arch-general@archlinux.org> escribió:
Your regex doesn't look like it would match. If <HOST> is substituted for your hostname that part of the regex would need to be before the unknown user part
On Fri, Nov 1, 2019, 2:51 AM Maykel Franco via arch-general < arch-general@archlinux.org> wrote:
Hi, I have this rule:
jail.conf:
[app-user] enabled = true port = 443 filter = user-app logpath = /var/log/user-app.log findtime = 1200 bantime = 480 maxretry = 3
-------------------------------
filter.d:
user-app.conf
[Definition]
failregex = Unknown User .* \(<HOST>:.*\)
ignoreregex =
-------------------------------
The content is logfile test /var/log/user-app.log:
[12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
-------------------------------
And when test it, not working:
fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf
Running tests =============
Use failregex filter file : user-app, basedir: /etc/fail2ban Use log file : user-app.conf Use encoding : UTF-8
Results =======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits: |- [# of hits] date format | [6] {^LN-BEG}24hour:Minute:Second `-
Lines: 6 lines, 0 ignored, 0 matched, 6 missed [processed in 0.02 sec]
|- Missed line(s): | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
Whats wrong? Maybe the left timestamp?
Thanks in advanced.
The HOST is ip public my client, no hostname. I don't understand.
Hi Maykel, I don't use fail2ban, but I've just skimmed https://fail2ban.readthedocs.io/en/latest/filters.html#developing-filter-reg... You may find the ‘debuggex’ reference useful.
failregex = Unknown User .* \(<HOST>:.*\) ... [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) ... Date template hits: |- [# of hits] date format | [6] {^LN-BEG}24hour:Minute:Second
I take that to mean it was happy with the timestamp.
failregex = Unknown User .* \(<HOST>:.*\)
How about failregex = ^\S+: Unknown User .* \(<HOST>\)$ -- Cheers, Ralph.
El vie., 1 nov. 2019 a las 19:20, Ralph Corderoy (<ralph@inputplus.co.uk>) escribió:
Hi Maykel,
I don't use fail2ban, but I've just skimmed https://fail2ban.readthedocs.io/en/latest/filters.html#developing-filter-reg... You may find the ‘debuggex’ reference useful.
failregex = Unknown User .* \(<HOST>:.*\) ... [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) ... Date template hits: |- [# of hits] date format | [6] {^LN-BEG}24hour:Minute:Second
I take that to mean it was happy with the timestamp.
failregex = Unknown User .* \(<HOST>:.*\)
How about
failregex = ^\S+: Unknown User .* \(<HOST>\)$
-- Cheers, Ralph.
Thanks for your help but not working... https://imgur.com/a/w0F2JSC
El sáb., 2 nov. 2019 a las 0:13, Maykel Franco (<maykeldebian@gmail.com>) escribió:
El vie., 1 nov. 2019 a las 19:20, Ralph Corderoy (<ralph@inputplus.co.uk>) escribió:
Hi Maykel,
I don't use fail2ban, but I've just skimmed https://fail2ban.readthedocs.io/en/latest/filters.html#developing-filter-reg... You may find the ‘debuggex’ reference useful.
failregex = Unknown User .* \(<HOST>:.*\) ... [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) ... Date template hits: |- [# of hits] date format | [6] {^LN-BEG}24hour:Minute:Second
I take that to mean it was happy with the timestamp.
failregex = Unknown User .* \(<HOST>:.*\)
How about
failregex = ^\S+: Unknown User .* \(<HOST>\)$
-- Cheers, Ralph.
Thanks for your help but not working...
It works with only: failregex = Unknown User .* \(<HOST>\)
Hi Maykel,
How about
failregex = ^\S+: Unknown User .* \(<HOST>\)$
Thanks for your help but not working... https://imgur.com/a/w0F2JSC
That image shows Unknown User .* \(<HOST>:.*\) but that's not what I suggested, e.g. you have a colon after the <HOST> and as there is no colon in ‘(109.103.148.2)’ then the regexp is not going to match. -- Cheers, Ralph.
El sáb., 2 nov. 2019 a las 0:51, Ralph Corderoy (<ralph@inputplus.co.uk>) escribió:
Hi Maykel,
How about
failregex = ^\S+: Unknown User .* \(<HOST>\)$
Thanks for your help but not working... https://imgur.com/a/w0F2JSC
That image shows
Unknown User .* \(<HOST>:.*\)
but that's not what I suggested, e.g. you have a colon after the <HOST> and as there is no colon in ‘(109.103.148.2)’ then the regexp is not going to match.
-- Cheers, Ralph.
what you suggested didn't work either https://imgur.com/a/sNN5dL0
Hi Maykel,
failregex = ^\S+: Unknown User .* \(<HOST>\)$
Thanks for your help but not working... https://imgur.com/a/w0F2JSC
That image shows
Unknown User .* \(<HOST>:.*\)
but that's not what I suggested, e.g. you have a colon after the <HOST> and as there is no colon in ‘(109.103.148.2)’ then the regexp is not going to match.
what you suggested didn't work either
You still aren't trying what I suggested. The regexp I'm suggesting is for fail2ban. It can't be put into regex101.com unaltered. Nor can the test input be the line to match against because fail2ban alters it before applying the regular expression. I suggest you test and develop the regexp you want using fail2ban, e.g. fail2ban-regex. -- Cheers, Ralph.
participants (3)
-
Justin Capella
-
Maykel Franco
-
Ralph Corderoy