Re: [Fail2ban-users] Block an IP for one day

On 2024-03-05 04:14, Jason Long via Fail2ban-users wrote: > How can I block someone who has entered the wrong password three times in any > given time period? --[ Jail definition ]-- bantime.increment = true bantime.factor = 1 bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20))

[Fail2ban-users] fail2ban-client status output

fail2ban 1.1.0.1 "fail2ban-client status " outputs this (less the banned list): Status for the jail: assp-1 |- Filter | |- Currently failed: 49 | |- Total failed: 59 | `- File list:/usr/local/bin/assp2/logs/maillog.txt `- Actions |- Currently banned: 1557 |- Total banned:

Re: [Fail2ban-users] Help:The number of log files monitored

On 2024-02-14 09:06, 高井 進吾 via Fail2ban-users wrote: > The number of log files monitored based on the conditions listed in the > jail was 7200. > However, when I executed the following command on the server, counted > the files monitored by inotify, and extracted the Fail2ban process from > amo

Re: [Fail2ban-users] Help needed with regex

On 10/19/23 4:49 AM, Marcel Blenkers wrote: The Logfile looks like this: Oct 16 15:49:02 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109

Re: [Fail2ban-users] no active ban yet nftable holds entries

On 2023-09-08 06:42, lejeczek via Fail2ban-users wrote: > my _fail2ban_ shows no banned ips at all, yet there are entries in nftables, > eg.: > Are you using the provided dovecot definition and filter? What does fail2ban-regex show for you log files? -- James Moe moe dot james at sohnen-moe

Re: [Fail2ban-users] fail2ban mail messages

On 2023-08-29 08:34, François Patte wrote: > When fail2ban bans an IP, I mostly receive a message like this: > >> Hi, >> >> The IP 117.216.138.77 has just been banned by Fail2Ban after > > But sometimes, I receive a message like this: > It is the base64 encoding of the above. Without seeing

Re: [Fail2ban-users] Fwd: apache-proxy

On 2023-05-19 13:49, François Patte wrote: > # fail2ban-regex --print-all-missed /var/log/fail2ban.log > /etc/fail2ban/filter.d/apache-proxy.conf > You are testing fail2ban's log file. Shouldn't that be an apache log? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think.

Re: [Fail2ban-users] Problems with dovecot filter

On 2023-04-29 16:56, Jim Wright wrote: > All of my configs files are stock, except for jail.local.  > Pasting the relevant section for that as well. > I really do not see where the stock dovecot failregex detects "unknown user," or "sql()" to collect the IP address. You could try adding the

Re: [Fail2ban-users] Problems with dovecot filter

On 2023-04-29 08:15, Jim Wright wrote: > [wright@localhost fail2ban] $ fail2ban-regex --print-all-matched > /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf > > Running tests > = > Results > === > > Prefregex: 45677 total > | ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+

Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not

On 2023-04-24 11:16, Wayne Sallee wrote: > No. Why would I want to do that? > So that fail2ban-server sees the data log as a new file and starts scanning it from the beginning. The way you showed your configuration would fit into a shell script quite easily. Change the data log filename for ea

Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not

On 2023-04-21 12:32, Wayne Sallee via Fail2ban-users wrote: > Looking at my test, you can see that I copied logs into the testing log file, > so that fail2ban would see the new entries. > Hmm. Maybe. I never tried re-using a data log file. Here are a couple of ideas: - change the name of the

Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not

On 2023-04-21 06:25, Wayne Sallee via Fail2ban-users wrote: > I ran regular fail2ban, and fail2ban-regex at the same time. If you look, at > my test, you can see what I did. Fail2ban > did nothing, but fail2ban-regex matched 8. > What is "regular fail2ban"? Do you mean fail2ban-server? fail2

Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not

On 2023-04-20 06:12, Wayne Sallee via Fail2ban-users wrote: > The fail2ban-regex showed all 8 lines matching, but the regular fail2ban jail > [testing] showed no action, not even a > "found" response. > There is no command "fail2ban jail ...". -- James Moe moe dot james at sohnen-moe dot com

Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not

On 2023-04-19 09:18, Wayne Sallee via Fail2ban-users wrote: > fail2ban-regex /var/log/fail2ban-jail-testing.log > /etc/fail2ban/filter.d/testing.conf > Lines: 8 lines, 0 ignored, 8 matched, 0 missed > I do not see the problem. It correctly matched 8 log entries. > tail -F -n 100 /var/log/fail

Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not

On 2023-04-17 10:19, Wayne Sallee via Fail2ban-users wrote: > My issue is that I can use an online regex like > https://regex101.com > and get matches. > But use fail2ban-regex, and get worse results, > "My first thing is better than the second thing but I can't use the first thing, and the thir

Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not

On 2023-04-17 08:27, Wayne Sallee via Fail2ban-users wrote: > Why does fail2ban not match when fail2ban-regex does match? > It makes fail2ban-regex almost useless. > Are you responding to another message? Do you have a specific issue? -- James Moe moe dot james at sohnen-moe dot com 520.743.

Re: [Fail2ban-users] Virtual hosts rotatelogs & Fail2ban

On 2023-04-09 10:22, Endre Paller wrote: > My question is how can I configure fail2ban to always notice the current log > files? > I use a symbolic link as the log file name for the jail. A Cron job is run whenever the new file is due to change. In my case that is once per day; for you that wo

Re: [Fail2ban-users] SOLVED Regex not found by fail2ban, found by fail2ban-regex

On 2023-03-30 10:37, James Moe via Fail2ban-users wrote: > Fail2ban-regex matches the regex in the log files. Fail2ban itself does not. > I found the problem. Yay. The logfile the jail uses is a symbolic link. It is refreshed every night at midnight. The target log file is re-created

Re: [Fail2ban-users] Regex not found by fail2ban, found by fail2ban-regex

On 2023-03-30 10:37, James Moe via Fail2ban-users wrote: > Fail2ban-regex matches the regex in the log files. Fail2ban itself does not. > I had thought a specific regex was failing to match. Further testing shows that the whole jail acts as though it is disabled. "enabled = true&quo

Re: [Fail2ban-users] Regex not found by fail2ban, found by fail2ban-regex

On 2023-03-30 10:37, James Moe via Fail2ban-users wrote: > Cound this issue be possibly related to the "ignoreregex"? > Nope. I removed the ignoreregex rule. It made no difference to the failure to match. -- James Moe moe dot james at sohnen-moe dot com 52

[Fail2ban-users] Regex not found by fail2ban, found by fail2ban-regex

fail2ban v1.0.1.1 Fail2ban-regex matches the regex in the log files. Fail2ban itself does not. ---[ filter ] failregex = ^.*SMTPI.*\(\[\].*\).*?failed to open.*\:(465|587)\..*Error Code=unknown user account.*$ ^.*SMTPI.*\(\[\].*\).*?failed to open.*\:(465|587)\..*Error Code=accoun

Re: [Fail2ban-users] A regular expression for a NOT condition

On 2023-03-22 14:03, Nick Howitt via Fail2ban-users wrote: > Use an "ignoreregex = 127\.0\.0\.1" line. > That works! Thank you. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban-users mailing list Fail2ban-users@lis

[Fail2ban-users] A regular expression for a NOT condition

We scan our mail logs for the use of "auth LOGIN". No legit user uses LOGIN; it is always a dictionary attack. We also have a SPAM proxy (ASSP) that filters incoming mail before sending a connection to the mail server; the connections are for ports 25 and 587. The mail server logs these connecti

Re: [Fail2ban-users] multiline match?

On 2022-03-07 11:45, James Moe via Fail2ban-users wrote: > The vertical bar allows multi-line expressions. Below is a sample given the > log entries you provided. > (Sigh.) Do not know what I was thinking. I apologize for the confusing, and wrong, post. -- James Moe moe dot james

Re: [Fail2ban-users] multiline match?

On 2022-03-07 03:15, Richard Hector wrote: > Mar  6 16:17:38 akl-host6 sshd[33035]: error: > kex_exchange_identification: Connection closed by remote host > Mar  6 16:17:38 akl-host6 sshd[33035]: Connection closed by > 46.19.139.18 port 32834 > (I am a little late to the party.) The vertical

Re: [Fail2ban-users] Troubles setting up regex filter SOLVED!

On 2022-03-06 13:49, Marc Chamberlin via Fail2ban-users wrote: >> Note the addition of "\@". >> > Thanks a million James, that works! I am not sure I grok why (I sorta do > halfway) so I will ponder on it. > I am not clear either. I do know it is a special character in regexes. In PERL it is us

Re: [Fail2ban-users] Troubles setting up regex filter

On 2022-03-05 11:43, Marc Chamberlin via Fail2ban-users wrote: > fail2ban-regex -v -v -l HEAVYDEBUG "2022-03-05 09:30:18,739 ERROR | > org.apache.james.protocols.api.handler.CommandHandler | AUTH method > LOGIN failed from r...@marcchamberlin.com@87.246.7.246" > "^\s*ERROR(\s*\|)?(\s+[\w+\.]+\w

Re: [Fail2ban-users] Warning message: Please check jail has possibly a timezone issue. Line with odd timestamp:

On 2022-02-28 13:02, Sophie wrote: > Thanks James, but this did not work for me: > > # fail2ban-client reload nginx-x00 > 2022-02-28 20:00:11,303 fail2ban[419372]: ERROR NOK: > ("No failure-id group in '%d/%m/%Y:%H:%M:%S'",) > No failure-id group in '%d/%m/%Y:%H:%M:%S' > Si

Re: [Fail2ban-users] Warning message: Please check jail has possibly a timezone issue. Line with odd timestamp:

On 2022-02-26 12:15, James Moe via Fail2ban-users wrote: > Try adding this (the escaped "%" is necessary): > datepattern = %%m/%%d/%%Y:%%H:%%M:%%S > Bzzt! Wrong. This one: datepattern = %%d/%%m/%%Y:%%H:%%M:%%S > >> 35.205.35.197 - - [01/Feb/2022:03:10:

Re: [Fail2ban-users] Warning message: Please check jail has possibly a timezone issue. Line with odd timestamp:

On 2022-02-26 01:46, Sophie Loewenthal wrote: > # cat filter.d/nginx-x00.conf > > [Definition]> failregex = ^ .* ".*\\x.*" .*$ > Try adding this (the escaped "%" is necessary): datepattern = %%m/%%d/%%Y:%%H:%%M:%%S > 35.205.35.197 - - [01/Feb/2022:03:10:28 +] >> "GET / HTTP/1.1" > 200 127

Re: [Fail2ban-users] Warning message: Please check jail has possibly a timezone issue. Line with odd timestamp:

On 2022-02-24 11:01, Graham B. wrote: > I had this message from fail2ban after an upgrade from Debian 9 > to 10 for many months. > > How could I mend these jails? > > ** WARNINGS ** >[nginx-x1] Please check jail has possibly a timezone issue. Line > with odd timestamp: 35.205.35.197 - - [01/Fe

Re: [Fail2ban-users] An explanation of the "status" report?

On 2022-02-23 04:07, Tim Boneko via Fail2ban-users wrote: >> Status for the jail: assp-4 >> - Filter >>   |- Currently failed:  0 >>   |- Total failed:  5 >>   `- File list: /usr/local/bin/assp2/logs/maillog.txt >> `- Actions >>    |- Currently banned: 17 >>    |- Total banned: 17 >>    `-

[Fail2ban-users] An explanation of the "status" report?

fail2ban 0.11 Would someone explain the status report? - What is the difference between "currently" and "total?" - What are the reporting time periods for "currently" and "total?" Status for the jail: assp-4 - Filter |- Currently failed: 0 |- Total failed: 5 `- File list: /usr/local/b

Re: [Fail2ban-users] Multiple attempts on a single connection

On 2021-10-18 07:39, Krzysztof Adamski wrote: >> Oct 17 16:33:34 mailserver dovecot: auth-worker(41189): conn >> unix:auth- >> worker (pid=41188,uid=108): auth-worker<119>: >> sql(orders,219.145.118.23,): unknown user (given >> password: qwer1234) >> >> > I was wrong, the auth-worker failures are

Re: [Fail2ban-users] "Already banned" makes no sense

On 7/13/21 11:59 AM, Nick Howitt wrote: > Suricata is a Snort alternative. If it is anything like Snort, it can be > configured to be inside or outside the firewall. In ClearOS, it is > outside the firewall but I assume for other distros it is user configurable. > I am not clear what you mean

Re: [Fail2ban-users] "Already banned" makes no sense

On 7/13/21 12:34 AM, Tom Hendrikx wrote: > Please post full configuration if you're not sure what to look for. I > have no idea what 'suricata' is though > Suricata is an Intrusion Detection/Prevention Software. [ jail ] [suricata-1] enabled = true logpath = /data01/var/log/suricat

[Fail2ban-users] "Already banned" makes no sense

fail2ban v1.0.1.1 opensuse tumbleweed, linux v5.13.0 Messages as shown below occasionally are in the log. It does not make much sense. If the IP is banned, how can it be detected in the target log? 2021-07-11 16:15:31,136 fail2ban.filter [10710]: INFO[suricata-1] Found 65.205.231.167

Re: [Fail2ban-users] Is this list active?

On 6/17/21 2:56 PM, Castillo Izquierdo, Javier wrote: > It is active, at less I receive you message from the list > Okay. Thanks. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban-users mailing list Fail2ban-users@li

[Fail2ban-users] Is this list active?

Helloo, There has been no activity for weeks. - Is the list still active? - Has the list moved elsewhere? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net h

[Fail2ban-users] Jail not finding instances of jailable IPs

fail2ban v0.10.4 opensuse tumbleweed v Fail2ban is not detecting live instances of IPs that should be banned. Below is the result of fail2ban-regex using the same filter and log file as the f2b server. 73 found. 0 banned. F2b has not found an instance of jail "cgpro-imap" in days. Where pre

Re: [Fail2ban-users] F2b incorrectly reporting banned

On 5/8/21 11:03 AM, Dan Egli wrote: > That list is nearly 400 > IPs long! So I was curious. I look at fail2ban.log. It's noticing > everything okay, but it keeps saying the hosts are already banned. They > are not. > fail2ban is not all that stable. We have v0.10.4. It seems that every 2-3 we

Re: [Fail2ban-users] regex failing

On 5/7/21 6:44 PM, Dan Egli wrote: > Okay. So now let's throw it into an EXTREMELY SIMPLE config file: > [Definition] > failrexex = ".*#.*" > ignoreregex = > > Result: # fail2ban-regex test.log $PWD/test.conf > I had a similar problem with test files. I discovered (quite accidentally) tha

[Fail2ban-users] [jmm] Mystery log entry

fail2ban v0.10.4 Found in the log today: 2021-04-14 07:24:17,861 fail2ban.ipdns [31473]: WARNING Unable to find a corresponding IP address for IP: [Errno -2] Name or service not known It found a match to ... what? Could not find an IP address for an IP address? -- James Moe moe dot james at

Re: [Fail2ban-users] Need help setting up a jail for WeeChat

On 1/27/21 5:02 AM, Richard Muhler via Fail2ban-users wrote: > 2021-01-27 12:52:01=!=relay: authentication failed with client > 1/ssl.weechat/XX.XXX.XXX.X > 2021-01-27 12:52:09=!=relay: authentication failed with client > 1/ssl.weechat/XX.XXX.XXX.X > 2021-01-27 12:53:57relay: client 1/ssl.weechat/

Re: [Fail2ban-users] Fail2ban ignoring exim completely

On 1/19/21 1:10 AM, Dan Egli wrote: > Thanks! I took your idea, modified it just a bit, and it works well > enough now. > Excellent! -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban-users mailing list Fail2ban-user

Re: [Fail2ban-users] Fail2Ban finding but not blocking.

On 1/19/21 2:33 AM, Dan Mahoney (Gushi) wrote: > The snippet I showed included two or three seconds, which should have been > enough to make a decision. It was more than the threshhold of N hits in N > seconds, certainly. > I did not realize the size of the problem. Your conjecture that f2b

Re: [Fail2ban-users] Fail2ban ignoring exim completely

On 1/16/21 7:15 PM, Dan Egli wrote: > Hey people, I don't know what's going on with F2B lately, but it seems > to be completely ignoring anything happing with exim. Even > fail2ban-regex won't pick anything up, and I tried doing it with a > direct match. > I offered a solution on Dec 27, 202

Re: [Fail2ban-users] Fail2Ban finding but not blocking.

On 1/17/21 12:21 PM, Dan Mahoney (Gushi) wrote: > From what you're saying it sounds like fail2ban has to hit the EOF marker, > which would imply as long as one could fill the logs faster than fail2ban > can count, you can evade a block. > F2b starts a scan at the last position it stopped for t

Re: [Fail2ban-users] Fail2Ban finding but not blocking.

On 1/14/21 8:12 AM, Dan Mahoney (Gushi) wrote: > We have a regex that "matches" but I watch fail2ban.log with "tail > -F" and I watch match and match and match > and not ban. > I see a similar pattern here for this reason: When f2b scans a log file it finds multiple log entries of an attack, a

Re: [Fail2ban-users] Fail2Ban finding but not blocking.

On 1/14/21 8:12 AM, Dan Mahoney (Gushi) wrote: > We have a regex that "matches" but I watch fail2ban.log with "tail > -F" and I watch match and match and match > and not ban. > Show your jail and filter conf. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think.

Re: [Fail2ban-users] fail2ban regex ignore

On 1/4/21 5:09 PM, arsdale...@gmail.com wrote: > failregex = (?i) -.*"(GET|POST|HEAD).*HTTP.*(?:%(badbots)s).*"$ > I verified that the regex does indeed match the "badhosts" list using file3ban-regex. I cannot, however, discover why. fail2ban-regex does not print the exact text that was matche

Re: [Fail2ban-users] fail2ban regex ignore

On 1/4/21 12:58 PM, Tommy wrote: > 192.168.1.1 - - [04/Jan/2021:16:07:24 +] "POST /auth/token HTTP/1.1" 200 > 232 > "-" "Extensions-NotificationService/2020.7 > (io.robbie.HomeAssistant.APNSAttachmentService; build:11; iOS 14.2.0) > Alamofire/4.9.1" > > Could someone please either point me t

Re: [Fail2ban-users] fail2ban not picking up on attacks

On 12/26/20 1:44 PM, Dan Egli wrote: > failregex = fixed_login_exim4u authenticator failed for (User) .* >     fixed_login_exim4u authenticator failed for .* >     locally blacklisted for a bruteforce >     H=(.*) .* AUTH command used when not adverti

Re: [Fail2ban-users] fail2ban not picking up on attacks

On 12/19/20 3:51 PM, Dan Egli wrote: > 2020-12-19 22:31:14.757 fixed_login_exim4u authenticator failed for > (User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect > The problem may be your data pattern. Try adding to you filter conf: datepattern = %%Y-%%m-%%d %%H:%%M:%%S.%%f Have you

Re: [Fail2ban-users] fail2ban not picking up on attacks

On 12/19/20 3:51 PM, Dan Egli wrote: > As an example, I have the following filter, among others, in my > exim.local.conf file: >     fixed_login_exim4u authenticator failed for .* > Show us the jail conf and filter. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 T

Re: [Fail2ban-users] Postfix filter finds IPs, fails to ban them

On 10/23/20 8:47 AM, Tom via Fail2ban-users wrote: > As you can see, postfix-sasl has no trouble banning. I'm running > fail2ban-0.11.1-10.fc32.noarch. Any ideas how to track down this elusive > problem? > List your jails and filters? -- James Moe moe dot james at sohnen-moe dot com 520.743.

Re: [Fail2ban-users] Fail2ban not catching offenders

On 10/16/20 6:35 PM, Dan Egli wrote: > # grep 103.154.241.29 fail2ban.log -c > 113 > > Wait a minute, 113 times, and yet it has never banned them!? > # grep "Ban 103.154.241.29" fail2ban.log -c > 0 > What is in the log file regarding that IP address? Are the log entries only "Found"? Or is ther

Re: [Fail2ban-users] Fail2ban not catching offenders

On 10/17/20 11:32 AM, Dan Egli wrote: > 2020-10-17 14:30:13,666 fail2ban.configreader   [1625305]: ERROR   Found > no accessible config files for 'filter.d/exim.local' under /etc/fail2ban > Now that the exim jail is enabled, it would seem you need to add your regex to a file in filter.d/exim.loc

Re: [Fail2ban-users] Fail2ban not catching offenders

On 10/16/20 10:13 AM, Dan Egli wrote: > The I= address is MY ip. > Ah. I guessed incorrectly. Also the "datepattern" was necessary. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban-users mailing list Fail2ban-user

Re: [Fail2ban-users] Fail2ban not catching offenders

On 10/15/20 6:36 PM, Dan Egli wrote: > 2020-10-15 19:28:58.395 SMTP protocol error in "AUTH LOGIN" H=(User) > [103.154.241.29] I=[209.141.58.25]:25 AUTH command used when not advertised > > And it's happened REPEATEDLY: > Try this (lines are wrapped :-( ) fail2ban v0.10.4: failregex = ^.*SMTP

Re: [Fail2ban-users] Documentation?

On 8/20/20 10:04 AM, James Moe via Fail2ban-users wrote: > Where may I find proper documentation for fail2ban? > Really? Either it is so obvious, or there are only bits and pieces? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936

Re: [Fail2ban-users] How to not ban a range of IP addresses

On 8/21/20 11:28 AM, James Moe via Fail2ban-users wrote: > Thank you Florian and James. That nicely does the job. > Urk. Thank you Florian and Dominic. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban

Re: [Fail2ban-users] How to not ban a range of IP addresses

On 8/20/20 3:29 PM, James Moe via Fail2ban-users wrote: > Is there a way to specify a range of IP addresses that are not to be banned? > Thank you Florian and James. That nicely does the job. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936

[Fail2ban-users] How to not ban a range of IP addresses

fail2ban 0.10.4 I have a rule that triggered on a log entry for naughty DNS actions, as it should have. However, the source of the offending entry was a local host, a rather unexpected action that blocked name resolution for the host (and aggravated the user). Is there a way to specify a range of

Re: [Fail2ban-users] regex exim help requested pid thread host etc

On 8/18/20 12:32 PM, Steve Charmer wrote: > 2020-08-18 12:02:48 [13110] 1k844V-0003PS-LP H=(mail-pg1-f181.google.com > ) [209.85.215.181]:38343 > I=[10.0.0.0]:25 Warning: EXIM-SPAMMASSASSIN-EXCESSIVE-FAIL2BAN > > my attempt at regex > > failregex =  ^%(pid)s \S+

[Fail2ban-users] Documentation?

Where may I find proper documentation for fail2ban? The wiki offers a blank page for its manual. Is the source code the only option? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban-users mailing list Fail2ban-us

Re: [Fail2ban-users] need help with filterd/postfix.conf

On 2020-05-15 4:31 PM, Doug Preston via Fail2ban-users wrote: > Yea I tried it,  it didn't find the lost connection after EHLO from unknown, > > I will keep trying to get it figured out.  I mean I could just add them > manually but I prefer using fail2ban and not have to manally add them > I d

Re: [Fail2ban-users] need help with filterd/postfix.conf

On 2020-05-15 10:15 AM, Doug Preston via Fail2ban-users wrote: > I wonder if my versions handle regex any different.  Anyone else running > these versions that can test this? > From your comment you are not experiencing joy. Did you test the postfix.conf I offered? How was it insufficient?

Re: [Fail2ban-users] need help with filterd/postfix.conf

On 2020-05-14 12:04 PM, Doug Preston via Fail2ban-users wrote: >> Lines: 5 lines, 0 ignored, 5 matched, 0 missed >> [processed in 0.01 sec] >> > What version of fail2ban are you running?  What OS, I am running Centos 7 > Fail2Ban v0.10.4 opensuse LEAP 15.1 -- James Moe moe dot james at sohnen-mo

Re: [Fail2ban-users] need help with filterd/postfix.conf

On 2020-05-13 4:44 PM, Doug Preston via Fail2ban-users wrote: >>> I don't get any hits even though there were 163 lines with this in it. >>> >>Provide samples of the lines that are not matching. >>And your postfix.conf filter. > postfix.conf > Using the info you provided, the result is b

Re: [Fail2ban-users] need help with filterd/postfix.conf

On 2020-05-12 12:37 PM, Doug Preston via Fail2ban-users wrote: > fail2ban-regex /var/log/maillog-20200510 > /etc/fail2ban/filter.d/postfix.conf > The regex I offered was tested against your samples; it matched. > I don't get any hits even though there were 163 lines with this in it. > Provi

Re: [Fail2ban-users] need help with filterd/postfix.conf

On 2020-05-08 2:54 PM, Doug Preston via Fail2ban-users wrote: > May  7 03:12:05 mail postfix/smtpd[10156]: lost connection after EHLO > from unknown[185.50.149.26] ^.*mail postfix/smtpd.* lost connection after EHLO from unknown\[\].* -- James Moe moe dot james at sohnen-moe dot com 520.743.393

Re: [Fail2ban-users] Help for failregex in my custom filter

On 2020-05-04 12:06 PM, Gao wrote: > [Mon May 04 09:15:10.359034 2020] [:error] [pid 17835] [client > 10.36.36.16:10513] LDAP - Bind user error 49 (Invalid credentials), > referer: https://web.company.com/index.php > Try this: ^.*\[client.*\:.*\] LDAP - Bind user error 49.* -- James Moe mo

Re: [Fail2ban-users] Spam FROM LOCAL [216.105.38.7]:50504

On 2020-03-08 3:35 AM, ratatouille via Fail2ban-users wrote: > I only see this in the logfile: > > 2020-03-08 05:58:44,167 fail2ban.filter [...] > > Is 2020-03-08 05:58:44,167 the datepattern or is it 08/Mar/2020:05:58:44 > +0100? > How do I correct it? > If that is the actual log entry, the

Re: [Fail2ban-users] set datepattern

On 2020-03-07 11:26 AM, ratatouille via Fail2ban-users wrote: > I have warnings in the logfile like "Please try setting a custom date > pattern". > Tried different things but all failed with errors. > > How do I set a correct datepattern in jail.conf? > What is the date pattern in the log? T

Re: [Fail2ban-users] dovecot blocking overly aggressive, possible mode

On 2020-01-08 9:32 AM, Robert Kudyba wrote: > I can find no doc for mdre-aggressive. Or mdre-* at all. > See https://sourceforge.net/p/fail2ban/mailman/message/36362859/ > Thank you. Alas, the thread you reference does not provide information about the "mdre-*" directives, what they are for,

Re: [Fail2ban-users] dovecot blocking overly aggressive, possible mode selection problem

On 2020-01-06 8:19 PM, Courtney Rosenthal wrote: > The problem appears to be that the aggressive regex is being selected, and I > could use some help figuring out why and how to stop that. > I can find no doc for mdre-aggressive. Or mdre-* at all. Why do you have mdre-aggressive? It appears t

Re: [Fail2ban-users] dovecot blocking overly aggressive, possible mode selection problem

On 2020-01-05 11:33 AM, Courtney Rosenthal wrote: > ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth > failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) > \S+ > auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method= > \S+,)? rip=(?:[^>]*(?

Re: [Fail2ban-users] dovecot blocking overly aggressive, possible mode selection problem

On 2020-01-04 11:12 AM, Courtney Rosenthal wrote: > I'm having a problem where legitimate mail (postfix) and imap (dovecot) users > are getting blocked ... but let's just take dovecot right now. > What are your filters' regexes? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936

[Fail2ban-users] When to decide that fail2ban is not a good solution

fail2ban 0.10.3 opensuse 15.0 We use sucicata to detect and optionally block bad actors. We recently set up a DNS server for a new domain. Said bad actors started abusing the server within a day with the DoS DNS Amplification attack. Suricata is set to block those packets. To ease the burd

Re: [Fail2ban-users] Jail has an UnknownJailException

On 17/09/2019 1.35 PM, James Moe via Fail2ban-users wrote: > When I attempt to start the jail, I receive > $ fail2ban-client restart suricata-1 > 2019-09-17 13:12:55,019 fail2ban [12287]: ERROR NOK: ('suricata-1',) > Sorry but the jail 'suricata-1' does not exi

Re: [Fail2ban-users] Jail has an UnknownJailException

On 17/09/2019 1.35 PM, James Moe via Fail2ban-users wrote: > [ jail ] > [suricata-1] > action = iptables[name=suri-1, protocol=udp] > [ end ] > I realized it is missing a destination port number. Changing the action to action = iptables[name=suri-1, port=&qu

[Fail2ban-users] Jail has an UnknownJailException

Hello, fail2ban 0.10.3.fix1 opensuse 15.0 I created a new jail to block a denial-of-service DNS attack. The source port of the attack can be anything. fail2ban-regex matches the date and test patterns. When I attempt to start the jail, I receive $ fail2ban-client restart suricata-1 2019-0

Re: [Fail2ban-users] bans not working

On 24/08/2019 6.45 PM, Mike wrote: > I've moved ssh to a non-standard port and it has been discovered by > some hackers. I'm noticing repeated attempts to connect and login > even though the IPs are supposedly banned. > > NOTICE [sshd] 54.34.136.87 already banned > I do not understand, if I'v

Re: [Fail2ban-users] Ban on source ip and port

On 29/07/2019 5.30 PM, Bill Shirley wrote: > Indeed, not only I need to ban on the source IP, but also on the source port. > My log files entries exposes this in a pretty standard form : src_ip:port > > Is this feasible at all with f2b ? > ...\:port_number... -- James Moe moe dot james at soh

Re: [Fail2ban-users] Regex not working

On 12/06/2019 12.00 AM, Tom Hendrikx wrote: > The first failure line has ":" after the ip adress, but the second > line hasn't, but your regex requires the colon. Remove the requirement > for the colon and you're good. > Quite so. Thank you. -- James Moe moe dot james at sohnen-moe dot com

[Fail2ban-users] Regex not working

fail2ban v0.10.3 linux v4.12.14-lp150.12.58-default x86_64 The second regex (...Error Code=unknown...) below is not matching the second example. fail2ban-regex was not helpful even with --verbosity=4; it only matched the date pattern. The first regex matches without a problem. Does anyone se

Re: [Fail2ban-users] (no subject)

On 12/02/2019 1.12 PM, tonny wrote: > You made my day :) > > still wondering why it worked before, but happy it works agail THNX! > (I have been close, I just missed the escaping '%') > Along with the OS update other libraries may have updated the affected how regular expressions are evaluated.

Re: [Fail2ban-users] (no subject)

On 11/02/2019 1.06 PM, tonny wrote: > # Fail2Ban filter lighttpd// > # > Try adding this: datepattern = %%d/%%b/%%Y:%%H:%%M:%%S -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban-users mailing list Fail2ban-users@lis

Re: [Fail2ban-users] (no subject)

On 11/02/2019 12.49 AM, Tonny Oitp wrote: > In the /var/log/fail2ban.log I get the error  > It does not like the date format. What are your filter rules? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban-users ma

Re: [Fail2ban-users] Ban IPs that try to "wget" in the request

On 24/11/2018 6.58 AM, Kevin S/Lucas Y wrote: > I try to ban IPs that try to wget something into my server. > how am i going to do the failregex? > For example: > Nov 20 18:04:28 ubuntu haproxy[12789]: ***:39636 > [20/Nov/2018:18:04:28.627] http_front http_back/main 286/0/4/25/315 400 > 39

Re: [Fail2ban-users] "Already banned"?

On 9/30/18 11:01 AM, James Moe via Fail2ban-users wrote: > The issue, then, is that the actual banning part is not happening. > Where have I gone awry? > The purpose of commissioning fail2ban is to reduce the load on suricata, an intrusion prevention service; suricata is the

Re: [Fail2ban-users] "Already banned"?

On 10/1/18 11:32 AM, Nick Howitt wrote: > the output of "iptables -nvL" > Hmm. Looking at the output of above is this: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2103K 873M NFQUEUEall -- * * 0.0.0.0/0 0.0.0.0

Re: [Fail2ban-users] "Already banned"?

On 10/1/18 11:32 AM, Nick Howitt wrote: > That suggests a problem as your messages are 13min apart. > Why? Isn't that how f2b is supposed to work? By finding at least two instances of an undesirable IP address within a given time period? > I think you > were using iptables. What is the output o

Re: [Fail2ban-users] "Already banned"?

On 10/1/18 12:10 AM, Nick Howitt wrote: > It is all to do with the sequence of events on your box and which > element f2b is trying to detect. > In that case I would expect a single entry for a given IP address. There are many such entries. Recent examples below. For each example there is an

Re: [Fail2ban-users] "Already banned"?

On 9/30/18 4:35 PM, James Moe via Fail2ban-users wrote: > How do I ask iptables what is banned by fail2ban? > Found it: $ iptables --list-rules f2b-assp And here is the entry for the example IP: -A f2b-assp -s 185.36.81.145/32 -j REJECT --reject-with icmp-port-unreachable I have f

Re: [Fail2ban-users] "Already banned"?

On 9/30/18 11:01 AM, James Moe via Fail2ban-users wrote: > It does not appear that fail2ban is actually banning IP addresses. > How do I ask iptables what is banned by fail2ban? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936

Re: [Fail2ban-users] "Already banned"?

On 9/30/18 11:01 AM, James Moe via Fail2ban-users wrote: > It does not appear that fail2ban is actually banning IP addresses. > Below are (I hope) relevant data. > There is also this filter: [Definition] __assp_actions = (?:dropping|refusing) # Capture failed logins

[Fail2ban-users] "Already banned"?

Hello, fail2ban 0.10.3.fix1 linux 4.12.14-lp150.12.7-default x86_64 It does not appear that fail2ban is actually banning IP addresses. Below are (I hope) relevant data. The log entries for the proxy show connection from a supposedly blocked IP. fail2ban later notices it and complains that

Re: [Fail2ban-users] If an IP is "already banned, " why was it found?

On 08/25/2018 12:09 PM, Tony Collins wrote: > Could you perhaps run this command and paste in the output: > > grep 200.29.108.214 /usr/local/bin/assp2/logs/maillog.txt > > This will search your mail log just for the entries from that specific > IP address, so we can see what it's doing to you. >

  1   2   >