[arch-general] Archlinux fail2ban not working

Justin Capella justincapella at gmail.com
Fri Nov 1 16:32:07 UTC 2019 

Your regex doesn't look like it would match. If <HOST> is substituted for
your hostname that part of the regex would need to be before the unknown
user part

On Fri, Nov 1, 2019, 2:51 AM Maykel Franco via arch-general <
arch-general at archlinux.org> wrote:

> Hi, I have this rule:
>
> jail.conf:
>
> [app-user]
> enabled = true
> port = 443
> filter = user-app
> logpath = /var/log/user-app.log
> findtime = 1200
> bantime = 480
> maxretry = 3
>
> -------------------------------
>
> filter.d:
>
> user-app.conf
>
>
> [Definition]
>
> failregex = Unknown User .* \(<HOST>:.*\)
>
> ignoreregex =
>
> -------------------------------
>
> The content is logfile test /var/log/user-app.log:
>
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
>
> -------------------------------
>
> And when test it, not working:
>
> fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf
>
> Running tests
> =============
>
> Use   failregex filter file : user-app, basedir: /etc/fail2ban
> Use         log file : user-app.conf
> Use         encoding : UTF-8
>
>
> Results
> =======
>
> Failregex: 0 total
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> |  [6] {^LN-BEG}24hour:Minute:Second
> `-
>
> Lines: 6 lines, 0 ignored, 0 matched, 6 missed
> [processed in 0.02 sec]
>
> |- Missed line(s):
> |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
>
> Whats wrong? Maybe the left timestamp?
>
> Thanks in advanced.
>

More information about the arch-general mailing list