Re: [Fail2ban-users] jail.local not triggered

Fri, 30 Aug 2019 09:58:04 -0700 


-------- Original Message --------
*Subject: *  [Fail2ban-users] jail.local not triggered
*From: *     Chet Curry <[email protected]>
*To: *         Fail2ban-users <[email protected]>
*CC: *
*Date: *      2019-8-30  12:28 PM

So I can run fail2ban-regex and get matches.


[root@xspdm2 ~]# fail2ban-regex /var/broadworks/logs/apache/access_log.2019-08-29-19_12_06 
/etc/fail2ban/filter.d/apache-Mac.conf


Running tests
=============

Use   failregex filter file : apache-Mac, basedir: /etc/fail2ban
Use         log file : 
/var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
Use         encoding : UTF-8


Results
=======

Failregex: 57041 total
|-  #) [# of hits] regular expression
|   1) [57041] ^<HOST>.*"GET.*HTTP/1.1" [401|404]{3}
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [57071] Day(?P<_sep>[-/])MON(?P=_sep)Year[ 
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 57071 lines, 0 ignored, 57041 matched, 30 missed
[processed in 7.20 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 30 lines

Yet when I run fail2ban using jail.local and using the filter apache-Mac.conf 
it does not get any matches.

filter.d
:24 apache-Mac.conf
[email protected] 
<mailto:[email protected]>$ cat apache-Mac.conf
#Fail2Ban apache-404 filter
#
# Author: Chet Curry
#
#
[Definition]
#Notes.:regex to match the Host IP and ("Get and <mac address>.cfg HTTP/1.1" 
and 401 or 404)
# example
#   HOST                                        "GET                       <mac 
address>.cfg HTTP/1.1" 401 or 404

# 85.17.172.70 - - [03/Apr/2018:07:25:09 -0400] "GET /dms/bw/host/bwas/Polycom_VVX500/0004f2050605.cfg HTTP/1.1" 404 
952 0 1343

#failregex = ^<HOST>.*"GET.*([0-9a-fA-F]{2}){6}.cfg HTTP/1.1" [401|404]{3}

cat /etc/fail2ban/jail.d/jail.local
[apache-Mac]
enabled = true
port = http,https
filter = apache-Mac
logpath = /var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
maxretry = 50
findtime = 60
bantime = 604800

fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   apache-Mac
[root@xspdm2 ~]# fail2ban-client status apache-Mac
Status for the jail: apache-Mac
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:  /var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Any ideas?





You have maxretry set to 50.

That means it will have to happen at least 50 times.

Try changing it to 1, and see what happens.

Wayne Sallee
[email protected]
http://www.WayneSallee.com




_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to