Re: [arch-general] Archlinux fail2ban not working
Hi Maykel, > > How about > > > > failregex = ^\S+: Unknown User .* \(\)$ > > Thanks for your help but not working... > https://imgur.com/a/w0F2JSC That image shows Unknown User .* \(:.*\) but that's not what I suggested, e.g. you have a colon after the and as there is no colon in ‘(109.103.148.2)’ then the regexp is not going to match. -- Cheers, Ralph.
Re: [arch-general] Archlinux fail2ban not working
El sáb., 2 nov. 2019 a las 0:13, Maykel Franco
() escribió:
>
> El vie., 1 nov. 2019 a las 19:20, Ralph Corderoy
> () escribió:
> >
> > Hi Maykel,
> >
> > I don't use fail2ban, but I've just skimmed
> > https://fail2ban.readthedocs.io/en/latest/filters.html#developing-filter-regular-expressions
> > You may find the ‘debuggex’ reference useful.
> >
> > > failregex = Unknown User .* \(:.*\)
> > ...
> > > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > ...
> > > Date template hits:
> > > |- [# of hits] date format
> > > | [6] {^LN-BEG}24hour:Minute:Second
> >
> > I take that to mean it was happy with the timestamp.
> >
> > > failregex = Unknown User .* \(:.*\)
> >
> > How about
> >
> > failregex = ^\S+: Unknown User .* \(\)$
> >
> > --
> > Cheers, Ralph.
>
> Thanks for your help but not working...
>
> https://imgur.com/a/w0F2JSC
It works with only:
failregex = Unknown User .* \(\)
Re: [arch-general] Archlinux fail2ban not working
El vie., 1 nov. 2019 a las 19:20, Ralph Corderoy
() escribió:
>
> Hi Maykel,
>
> I don't use fail2ban, but I've just skimmed
> https://fail2ban.readthedocs.io/en/latest/filters.html#developing-filter-regular-expressions
> You may find the ‘debuggex’ reference useful.
>
> > failregex = Unknown User .* \(:.*\)
> ...
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> ...
> > Date template hits:
> > |- [# of hits] date format
> > | [6] {^LN-BEG}24hour:Minute:Second
>
> I take that to mean it was happy with the timestamp.
>
> > failregex = Unknown User .* \(:.*\)
>
> How about
>
> failregex = ^\S+: Unknown User .* \(\)$
>
> --
> Cheers, Ralph.
Thanks for your help but not working...
https://imgur.com/a/w0F2JSC
Re: [arch-general] new packaging of the kernel/mkinitcpio/kmod
On 10/31/19 3:46 PM, Giancarlo Razzolini wrote: > Hi Eli, > > This is totally uncalled for. Even though I agree that kernel-install is > *not* > that great, there's no need to be aggressive. > > The question, even if phrased not in the best way, is a legitimate one. Didn't seem like much of a question to me. As far as I'm aware, there is no actual blocker to it, we even package it as one of the collection of tools made available by systemd so you literally cannot avoid having it available as it's a mandatory part of base. (The kernel is not mandatory, and mkinitcpio is not mandatory, but kernel-install is mandatory.) To aid such people, both mkinitcpio and dracut install relevant files to /usr/lib/kernel/install.d/ ... If people think kernel-install is an interesting technology which they would like to try out, that is fine. If people think kernel-install is literally the best ever and they must use it, that's fine too. I personally don't feel that way, and would rather have the option to skip the use of kernel-install, and that is fine too. I'm a bit skeptical, though, of posts which feature, essentially, "I notice Arch Linux does not bless kernel-install as the official kernel method of Arch Linux and request that you justify your decision to not use documented standards[0] and instead use your exclusivist Arch Linux hooks which merit multiple exclamation marks worth of surprise, because gosh is this surprisingly surprising". So I *inverted the question*. (I acknowledge I may have gotten a bit exaggerated in the process... I apologize. OTOH, I didn't quite intend my statements about kernel-install 100% seriously.) -- Eli Schwartz Bug Wrangler and Trusted User [0] Putting something in a manpage doesn't necessarily make it a standard, even if you find it really useful and enjoyable to use. signature.asc Description: OpenPGP digital signature
Re: [arch-general] new packaging of the kernel/mkinitcpio/kmod
On 10/31/19 6:19 PM, Geo Kozey via arch-general wrote: > Thx, my concern was more about maintenance burden for Arch devs vs relying on > dracut + kernel-install combo and call it a day. > If devs prefer to work on exclusive service for Arch users then let it be. Dracut does not work out of the box (we currently patch it to not use a nonexistent tool, and the same patch is now in upstream master but with no release in sight), and has issues like the tests failing on non-Redhat systems. Our dracut packager tried to get in touch with the dracut developer, after a lack of success for quite some time it seems that the individual in question was on... parental leave, IIRC? I'm not sure what the current status is. So the jury is still out on whether dracut or mkinitcpio is more work. ;) -- Eli Schwartz Bug Wrangler and Trusted User signature.asc Description: OpenPGP digital signature
Re: [arch-general] Archlinux fail2ban not working
Hi Maykel,
I don't use fail2ban, but I've just skimmed
https://fail2ban.readthedocs.io/en/latest/filters.html#developing-filter-regular-expressions
You may find the ‘debuggex’ reference useful.
> failregex = Unknown User .* \(:.*\)
...
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
...
> Date template hits:
> |- [# of hits] date format
> | [6] {^LN-BEG}24hour:Minute:Second
I take that to mean it was happy with the timestamp.
> failregex = Unknown User .* \(:.*\)
How about
failregex = ^\S+: Unknown User .* \(\)$
--
Cheers, Ralph.
Re: [arch-general] Archlinux fail2ban not working
El vie., 1 nov. 2019 17:32, Justin Capella via arch-general <
arch-general@archlinux.org> escribió:
> Your regex doesn't look like it would match. If is substituted for
> your hostname that part of the regex would need to be before the unknown
> user part
>
> On Fri, Nov 1, 2019, 2:51 AM Maykel Franco via arch-general <
> arch-general@archlinux.org> wrote:
>
> > Hi, I have this rule:
> >
> > jail.conf:
> >
> > [app-user]
> > enabled = true
> > port = 443
> > filter = user-app
> > logpath = /var/log/user-app.log
> > findtime = 1200
> > bantime = 480
> > maxretry = 3
> >
> > ---
> >
> > filter.d:
> >
> > user-app.conf
> >
> >
> > [Definition]
> >
> > failregex = Unknown User .* \(:.*\)
> >
> > ignoreregex =
> >
> > ---
> >
> > The content is logfile test /var/log/user-app.log:
> >
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> >
> > ---
> >
> > And when test it, not working:
> >
> > fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf
> >
> > Running tests
> > =
> >
> > Use failregex filter file : user-app, basedir: /etc/fail2ban
> > Use log file : user-app.conf
> > Use encoding : UTF-8
> >
> >
> > Results
> > ===
> >
> > Failregex: 0 total
> >
> > Ignoreregex: 0 total
> >
> > Date template hits:
> > |- [# of hits] date format
> > | [6] {^LN-BEG}24hour:Minute:Second
> > `-
> >
> > Lines: 6 lines, 0 ignored, 0 matched, 6 missed
> > [processed in 0.02 sec]
> >
> > |- Missed line(s):
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> >
> > Whats wrong? Maybe the left timestamp?
> >
> > Thanks in advanced.
> >
>
The HOST is ip public my client, no hostname. I don't understand.
>
Re: [arch-general] Archlinux fail2ban not working
Your regex doesn't look like it would match. If is substituted for
your hostname that part of the regex would need to be before the unknown
user part
On Fri, Nov 1, 2019, 2:51 AM Maykel Franco via arch-general <
arch-general@archlinux.org> wrote:
> Hi, I have this rule:
>
> jail.conf:
>
> [app-user]
> enabled = true
> port = 443
> filter = user-app
> logpath = /var/log/user-app.log
> findtime = 1200
> bantime = 480
> maxretry = 3
>
> ---
>
> filter.d:
>
> user-app.conf
>
>
> [Definition]
>
> failregex = Unknown User .* \(:.*\)
>
> ignoreregex =
>
> ---
>
> The content is logfile test /var/log/user-app.log:
>
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
>
> ---
>
> And when test it, not working:
>
> fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf
>
> Running tests
> =
>
> Use failregex filter file : user-app, basedir: /etc/fail2ban
> Use log file : user-app.conf
> Use encoding : UTF-8
>
>
> Results
> ===
>
> Failregex: 0 total
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [6] {^LN-BEG}24hour:Minute:Second
> `-
>
> Lines: 6 lines, 0 ignored, 0 matched, 6 missed
> [processed in 0.02 sec]
>
> |- Missed line(s):
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
>
> Whats wrong? Maybe the left timestamp?
>
> Thanks in advanced.
>
[arch-general] Archlinux fail2ban not working
Hi, I have this rule:
jail.conf:
[app-user]
enabled = true
port = 443
filter = user-app
logpath = /var/log/user-app.log
findtime = 1200
bantime = 480
maxretry = 3
---
filter.d:
user-app.conf
[Definition]
failregex = Unknown User .* \(:.*\)
ignoreregex =
---
The content is logfile test /var/log/user-app.log:
[12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
[12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
[12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
[12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
[12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
[12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
---
And when test it, not working:
fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf
Running tests
=
Use failregex filter file : user-app, basedir: /etc/fail2ban
Use log file : user-app.conf
Use encoding : UTF-8
Results
===
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6] {^LN-BEG}24hour:Minute:Second
`-
Lines: 6 lines, 0 ignored, 0 matched, 6 missed
[processed in 0.02 sec]
|- Missed line(s):
| [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
| [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
| [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
| [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
| [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
| [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
Whats wrong? Maybe the left timestamp?
Thanks in advanced.
