Re: [Fail2ban-users] jail.local not triggered

Fri, 30 Aug 2019 10:09:06 -0700 

I am getting spammed by hackers and getting well over 50 hits in 60
seconds.  Also the file I am monitoring has these hacker hits and that is
the file I have in my jail.local.  Again my regex get the hits but when
fail2ban reload looking at the same file it does not hit.

I do notice that when I reload though I get this error at the bottom.

# fail2ban-client -v reload apache-GetMac
INFO   Loading configs for fail2ban under /etc/fail2ban
INFO     Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO     Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO   Using socket file /var/run/fail2ban/fail2ban.sock
INFO   Loading configs for jail under /etc/fail2ban
INFO     Loading files: ['/etc/fail2ban/jail.conf']
INFO     Loading files: ['/etc/fail2ban/paths-fedora.conf']
INFO     Loading files: ['/etc/fail2ban/paths-common.conf']
INFO     Loading files: ['/etc/fail2ban/paths-overrides.local']
INFO     Loading files: ['/etc/fail2ban/jail.d/jail.local']
INFO     Loading files: ['/etc/fail2ban/paths-common.conf',
'/etc/fail2ban/paths-fedora.conf', '/etc/fail2ban/jail.conf',
'/etc/fail2ban/jail.d/jail.local']
INFO   Loading configs for filter.d/apache-GetMac under /etc/fail2ban
INFO     Loading files: ['/etc/fail2ban/filter.d/apache-GetMac.conf']
INFO     Loading files: ['/etc/fail2ban/filter.d/apache-GetMac.conf']
INFO   Loading configs for action.d/iptables-multiport under /etc/fail2ban
INFO     Loading files: ['/etc/fail2ban/action.d/iptables-multiport.conf']
INFO     Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
INFO     Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
INFO     Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
INFO     Loading files: ['/etc/fail2ban/action.d/iptables-common.conf',
'/etc/fail2ban/action.d/iptables-multiport.conf']
ERROR  NOK: ('apache-GetMac',)



On Fri, 30 Aug 2019 at 10:55, Wayne Sallee <[email protected]> wrote:

>
>
> -------- Original Message --------
> *Subject: *  [Fail2ban-users] jail.local not triggered
> *From: *     Chet Curry <[email protected]>
> *To: *         Fail2ban-users <[email protected]>
> *CC: *
> *Date: *      2019-8-30  12:28 PM
> > So I can run fail2ban-regex and get matches.
> >
> > [root@xspdm2 ~]# fail2ban-regex
> /var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
> > /etc/fail2ban/filter.d/apache-Mac.conf
> >
> > Running tests
> > =============
> >
> > Use   failregex filter file : apache-Mac, basedir: /etc/fail2ban
> > Use         log file :
> /var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
> > Use         encoding : UTF-8
> >
> >
> > Results
> > =======
> >
> > Failregex: 57041 total
> > |-  #) [# of hits] regular expression
> > |   1) [57041] ^<HOST>.*"GET.*HTTP/1.1" [401|404]{3}
> > `-
> >
> > Ignoreregex: 0 total
> >
> > Date template hits:
> > |- [# of hits] date format
> > |  [57071] Day(?P<_sep>[-/])MON(?P=_sep)Year[
> :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
> > `-
> >
> > Lines: 57071 lines, 0 ignored, 57041 matched, 30 missed
> > [processed in 7.20 sec]
> >
> > Missed line(s): too many to print.  Use --print-all-missed to print all
> 30 lines
> >
> > Yet when I run fail2ban using jail.local and using the filter
> apache-Mac.conf it does not get any matches.
> >
> > filter.d
> > :24 apache-Mac.conf
> > [email protected] <mailto:
> [email protected]>$ cat apache-Mac.conf
> > #Fail2Ban apache-404 filter
> > #
> > # Author: Chet Curry
> > #
> > #
> > [Definition]
> > #Notes.:regex to match the Host IP and ("Get and <mac address>.cfg
> HTTP/1.1" and 401 or 404)
> > # example
> > #   HOST                                        "GET
>   <mac address>.cfg HTTP/1.1" 401 or 404
> > # 85.17.172.70 - - [03/Apr/2018:07:25:09 -0400] "GET
> /dms/bw/host/bwas/Polycom_VVX500/0004f2050605.cfg HTTP/1.1" 404
> > 952 0 1343
> > #failregex = ^<HOST>.*"GET.*([0-9a-fA-F]{2}){6}.cfg HTTP/1.1"
> [401|404]{3}
> >
> > cat /etc/fail2ban/jail.d/jail.local
> > [apache-Mac]
> > enabled = true
> > port = http,https
> > filter = apache-Mac
> > logpath = /var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
> > maxretry = 50
> > findtime = 60
> > bantime = 604800
> >
> > fail2ban-client status
> > Status
> > |- Number of jail:      1
> > `- Jail list:   apache-Mac
> > [root@xspdm2 ~]# fail2ban-client status apache-Mac
> > Status for the jail: apache-Mac
> > |- Filter
> > |  |- Currently failed: 0
> > |  |- Total failed:     0
> > |  `- File list:
>  /var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
> > `- Actions
> >    |- Currently banned: 0
> >    |- Total banned:     0
> >    `- Banned IP list:
> >
> > Any ideas?
> >
> >
>
>
> You have maxretry set to 50.
>
> That means it will have to happen at least 50 times.
>
> Try changing it to 1, and see what happens.
>
> Wayne Sallee
> [email protected]
> http://www.WayneSallee.com
>
>
>
>
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to