Hi, I have a Weechat <https://weechat.org/> relay running on a Raspberry Pi on
my local network. The port of the relay is open to the internet and I get some
unwanted login attempts so I want to ban the IPs using fail2ban.
fail2ban is working fine with SSH. I managed to lock myself out after trying
with a wrong password three times. My custom config for weechat does not work
though. I set up a jail, filter and tested my regex with fail2ban-regex. The
path to the log file is correct but I still don’t see any failed attempts
listed in "fail2ban status weechat“.
Any ideas what I did wrong?
My Setup:
Raspbian 10 (buster)
Fail2Ban v0.10.2
WeeChat 3.0
/etc/fail2ban/filter.d/weechat.conf
> [Definition]
> failregex = relay: authentication failed with client ./ssl.weechat/<HOST>
/etc/fail2ban/jail.d/weechat.conf
> [weechat]
> enabled = true
> port = 9000
> filter = weechat
> logpath = /var/log/weechat/core.weechat.log
> maxretry = 3
> findtime = 60
> bantime = 600
fail2ban-client status
> Status
> |- Number of jail: 3
> `- Jail list: dropbear, sshd, weechat
fail2ban-client status weechat
> Status for the jail: weechat
> |- Filter
> | |- Currently failed: 0
> | |- Total failed: 0
> | `- Journal matches:
> `- Actions
> |- Currently banned: 0
> |- Total banned: 0
> `- Banned IP list:
/var/log/weechat/core.weechat.log
> 2021-01-27 12:29:10 relay: disconnected from client
> 25/ssl.weechat/XX.XXX.XXX.X
> 2021-01-27 12:51:59 relay: new client on port 9000:
> 1/ssl.weechat/XX.XXX.XXX.X (connecting)
> 2021-01-27 12:52:01 =!= relay: authentication failed with client
> 1/ssl.weechat/XX.XXX.XXX.X
> 2021-01-27 12:52:06 relay: new client on port 9000:
> 1/ssl.weechat/XX.XXX.XXX.X (connecting)
> 2021-01-27 12:52:09 =!= relay: authentication failed with client
> 1/ssl.weechat/XX.XXX.XXX.X
> 2021-01-27 12:53:55 relay: new client on port 9000:
> 1/ssl.weechat/XX.XXX.XXX.X (connecting)
> 2021-01-27 12:53:57 relay: client 1/ssl.weechat/XX.XXX.XXX.X
> connected/authenticated
fail2ban-regex -D /var/log/weechat/core.weechat.log
/etc/fail2ban/filter.d/weechat.conf
> Running tests
> =============
>
> Use failregex filter file : weechat, basedir: /etc/fail2ban
> Use log file : /var/log/weechat/core.weechat.log
> Use encoding : UTF-8
>
>
> Results
> =======
>
> Failregex: 51 total
> |- #) [# of hits] regular expression
> | 1) [51] relay: authentication failed with client ./ssl.weechat/<HOST>
> `-
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [311] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
> ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
> `-
>
> Lines: 311 lines, 0 ignored, 51 matched, 260 missed
> [processed in 0.18 sec]
>
> Missed line(s): too many to print. Use --print-all-missed to print all 260
> lines
Regards,
Richard_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
