You aren't including the ignoreregex argument with this:

 fail2ban-regex -v /var/log/tomcat6/catalina.2015-02-09.log 
/etc/fail2ban/filter.d/guacamole.conf

If the ignoreregex and the failregex are both in your guacamole.conf, the 
command is this:

 fail2ban-regex -v /var/log/tomcat6/catalina.2015-02-09.log 
/etc/fail2ban/filter.d/guacamole.conf /etc/fail2ban/failter.d/guacamole.conf

Notice the /etc/fail2ban/filter.d/guacamole.conf is written twice in the 
command. That should do it.

Mike

----- Original Message -----
From: "Cristiano Nuzzo" <crinu...@gmail.com>
To: fail2ban-users@lists.sourceforge.net
Sent: Monday, February 9, 2015 3:48:45 PM
Subject: Re: [Fail2ban-users] can't make ignoreregex working



his is a copy/paste of my terminal windows, thanks in advance 




pippo@faxservernew:~$ fail2ban-regex -v 
/var/log/tomcat6/catalina.2015-02-09.log /etc/fail2ban/filter.d/guacamole.conf 




Running tests 

============= 




Use failregex file : /etc/fail2ban/filter.d/guacamole.conf 

Use maxlines : 2 

Use log file : /var/log/tomcat6/catalina.2015-02-09.log 

Use encoding : UTF-8 







Results 

======= 




Failregex: 129 total 

|- #) [# of hits] regular expression 

| 1) [129] ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" 
failed\.$ 

| 95.226.42.86 Mon Feb 09 18:14:57 2015 

| 95.226.42.86 Mon Feb 09 18:15:04 2015 

| 95.226.42.86 Mon Feb 09 18:15:08 2015 

| 95.226.42.86 Mon Feb 09 18:15:11 2015 

| 95.226.42.86 Mon Feb 09 18:15:13 2015 

| 95.226.42.86 Mon Feb 09 18:15:19 2015 

| 95.226.42.86 Mon Feb 09 18:15:22 2015 

| 95.226.42.86 Mon Feb 09 18:15:25 2015 

| 95.226.42.86 Mon Feb 09 18:22:42 2015 

| 95.226.42.86 Mon Feb 09 18:36:44 2015 

| 95.226.42.86 Mon Feb 09 18:36:48 2015 

| 95.226.42.86 Mon Feb 09 18:36:51 2015 

| 95.226.42.86 Mon Feb 09 18:36:53 2015 

| 95.226.42.86 Mon Feb 09 18:36:56 2015 

| 95.226.42.86 Mon Feb 09 18:37:00 2015 

| 95.226.42.86 Mon Feb 09 18:37:01 2015 

| 95.226.42.86 Mon Feb 09 18:37:03 2015 

| 95.226.42.86 Mon Feb 09 18:37:08 2015 

| 95.226.42.86 Mon Feb 09 18:37:15 2015 

| 95.226.42.86 Mon Feb 09 18:40:20 2015 

| 95.226.42.86 Mon Feb 09 18:40:22 2015 

| 95.226.42.86 Mon Feb 09 18:40:25 2015 

| 95.226.42.86 Mon Feb 09 18:40:28 2015 

| 95.226.42.86 Mon Feb 09 18:40:32 2015 

| 95.226.42.86 Mon Feb 09 18:40:34 2015 

| 95.226.42.86 Mon Feb 09 18:40:37 2015 

| 95.226.42.86 Mon Feb 09 18:40:40 2015 

| 95.226.42.86 Mon Feb 09 18:42:56 2015 

| 95.226.42.86 Mon Feb 09 18:44: 02 2015 

| 95.226.42.86 Mon Feb 09 18:44:03 2015 

| 95.226.42.86 Mon Feb 09 18:44:04 2015 

| 95.226.42.86 Mon Feb 09 18:44:05 2015 

| 95.226.42.86 Mon Feb 09 18:44: 06 2015 

| 95.226.42.86 Mon Feb 09 18:44:07 2015 

| 95.226.42.86 Mon Feb 09 18:44:07 2015 

| 95.226.42.86 Mon Feb 09 18:44:08 2015 

| 95.226.42.86 Mon Feb 09 18:44:09 2015 

| 95.226.42.86 Mon Feb 09 18:44:13 2015 

| 95.226.42.86 Mon Feb 09 18:46:15 2015 

| 95.226.42.86 Mon Feb 09 18:46:16 2015 

| 95.226.42.86 Mon Feb 09 18:46:17 2015 

| 95.226.42.86 Mon Feb 09 18:46:18 2015 

| 95.226.42.86 Mon Feb 09 18:46:19 2015 

| 95.226.42.86 Mon Feb 09 18:46:20 2015 

| 95.226.42.86 Mon Feb 09 18:46:21 2015 

| 95.226.42.86 Mon Feb 09 18:46:22 2015 

| 95.226.42.86 Mon Feb 09 18:46:23 2015 

| 95.226.42.86 Mon Feb 09 18:46:24 2015 

| 95.226.42.86 Mon Feb 09 18:46:27 2015 

| 95.226.42.86 Mon Feb 09 18:46:28 2015 

| 95.226.42.86 Mon Feb 09 18:46:31 2015 

| 95.226.42.86 Mon Feb 09 18:47:49 2015 

| 95.226.42.86 Mon Feb 09 18:48:09 2015 

| 95.226.42.86 Mon Feb 09 18:49:42 2015 

| 95.226.42.86 Mon Feb 09 18:49:44 2015 

| 95.226.42.86 Mon Feb 09 18:49:46 2015 

| 95.226.42.86 Mon Feb 09 18:49:48 2015 

| 95.226.42.86 Mon Feb 09 18:49:52 2015 

| 95.226.42.86 Mon Feb 09 18:49:55 2015 

| 95.226.42.86 Mon Feb 09 18:49:56 2015 

| 95.226.42.86 Mon Feb 09 18:49:56 2015 

| 95.226.42.86 Mon Feb 09 18:49:57 2015 

| 95.226.42.86 Mon Feb 09 18:49:58 2015 

| 95.226.42.86 Mon Feb 09 18:49:59 2015 

| 95.226.42.86 Mon Feb 09 18:51:57 2015 

| 95.226.42.86 Mon Feb 09 18:51:58 2015 

| 95.226.42.86 Mon Feb 09 18:51:59 2015 

| 95.226.42.86 Mon Feb 09 18:52:00 2015 

| 95.226.42.86 Mon Feb 09 18:52:01 2015 

| 95.226.42.86 Mon Feb 09 18:52:01 2015 

| 95.226.42.86 Mon Feb 09 18:52: 02 2015 

| 95.226.42.86 Mon Feb 09 18:52:04 2015 

| 95.226.42.86 Mon Feb 09 18:52:05 2015 

| 95.226.42.86 Mon Feb 09 18:52: 06 2015 

| 95.226.42.86 Mon Feb 09 18:52:07 2015 

| 95.226.42.86 Mon Feb 09 18:52:07 2015 

| 95.226.42.86 Mon Feb 09 18:53:58 2015 

| 95.226.42.86 Mon Feb 09 18:53:59 2015 

| 95.226.42.86 Mon Feb 09 18:54:00 2015 

| 95.226.42.86 Mon Feb 09 18:54:01 2015 

| 95.226.42.86 Mon Feb 09 18:54: 02 2015 

| 95.226.42.86 Mon Feb 09 18:54:04 2015 

| 95.226.42.86 Mon Feb 09 18:54:07 2015 

| 95.226.42.86 Mon Feb 09 18:54:09 2015 

| 95.226.42.86 Mon Feb 09 18:54:11 2015 

| 95.226.42.86 Mon Feb 09 18:54:12 2015 

| 95.226.42.86 Mon Feb 09 18:54:14 2015 

| 95.226.42.86 Mon Feb 09 18:54:17 2015 

| 95.226.42.86 Mon Feb 09 18:54:18 2015 

| 95.226.42.86 Mon Feb 09 18:54:18 2015 

| 95.226.42.86 Mon Feb 09 18:54:20 2015 

| 95.226.42.86 Mon Feb 09 18:54:22 2015 

| 95.226.42.86 Mon Feb 09 19:03:31 2015 

| 95.226.42.86 Mon Feb 09 19:03:32 2015 

| 95.226.42.86 Mon Feb 09 19:03:34 2015 

| 95.226.42.86 Mon Feb 09 19:03:35 2015 

| 95.226.42.86 Mon Feb 09 19:03:37 2015 

| 95.226.42.86 Mon Feb 09 19:03:39 2015 

| 95.226.42.86 Mon Feb 09 19:03:41 2015 

| 95.226.42.86 Mon Feb 09 19:13:54 2015 

| 95.226.42.86 Mon Feb 09 19:13:57 2015 

| 95.226.42.86 Mon Feb 09 19:13:59 2015 

| 95.226.42.86 Mon Feb 09 19:14:00 2015 

| 95.226.42.86 Mon Feb 09 19:14: 02 2015 

| 95.226.42.86 Mon Feb 09 19:14:33 2015 

| 95.226.42.86 Mon Feb 09 19:14:36 2015 

| 95.226.42.86 Mon Feb 09 19:14:37 2015 

| 95.226.42.86 Mon Feb 09 19:14:38 2015 

| 95.226.42.86 Mon Feb 09 19:14:39 2015 

| 95.226.42.86 Mon Feb 09 19:14:40 2015 

| 95.226.42.86 Mon Feb 09 19:14:41 2015 

| 95.226.42.86 Mon Feb 09 19:14:42 2015 

| 95.226.42.86 Mon Feb 09 19:14:42 2015 

| 95.226.42.86 Mon Feb 09 19:14:43 2015 

| 95.226.42.86 Mon Feb 09 19:33:31 2015 

| 95.226.42.86 Mon Feb 09 19:33:32 2015 

| 95.226.42.86 Mon Feb 09 19:33:34 2015 

| 95.226.42.86 Mon Feb 09 19:33:35 2015 

| 95.226.42.86 Mon Feb 09 19:33:37 2015 

| 217.200.201.249 Mon Feb 09 19:38:15 2015 

| 217.200.201.249 Mon Feb 09 19:38:33 2015 

| 217.200.201.249 Mon Feb 09 19:38:41 2015 

| 217.200.201.249 Mon Feb 09 19:38:42 2015 

| 217.200.201.249 Mon Feb 09 19:38:43 2015 

| 151.52.140.102 Mon Feb 09 20:08:31 2015 

| 151.52.140.102 Mon Feb 09 20:08:40 2015 

| 151.52.140.102 Mon Feb 09 20:08:44 2015 

| 151.52.140.102 Mon Feb 09 20:08:49 2015 

| 151.52.140.102 Mon Feb 09 20:08:53 2015 

`- 




Ignoreregex: 0 total 




Date template hits: 

|- [# of hits] date format 

| [134] MON Day, Year 12hour:Minute:Second AMPM 

| [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? 

| [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 
24hour:Minute:Second(?:,Microseconds)? 

| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second 

| [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ 
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? 

| [0] Month/Day/Year:24hour:Minute:Second 

| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds 

| [0] TAI64N 

| [0] Epoch 

| [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)? 

| [0] ^24hour:Minute:Second 

| [0] ^<Month/Day/Year2@24hour:Minute:Second> 

| [0] ^Year2MonthDay ?24hour:Minute:Second 

| [0] ^MON-Day-Year2 24hour:Minute:Second 

On Mon, Feb 9, 2015 at 9:40 PM, Arturo 'Buanzo' Busleiman < 
bua...@buanzo.com.ar > wrote: 



Please, show the complete command line for fail2ban-regex, which should include 
a 3rd argument. 


On Mon, Feb 9, 2015 at 5:35 PM, Cristiano Nuzzo < crinu...@gmail.com > wrote: 



Hi everybody, I'm using guacamole.conf to ban user that fails login, 

this is my guacamole.conf: 

# 
# Author: Steven Hiscocks 
# 

[Definition] 

# Option: failregex 
# Notes.: regex to match the password failures messages in the logfile. 
# Values: TEXT 
# 
failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" 
fa 
iled\.$ 

# Option: ignoreregex 
# Notes.: regex to ignore. If this regex matches, the line is ignored. 
# Values: TEXT 
# 

ignoreregex = user "null" 

and this is a tail of my log file: 

INFO: User "pippo" successfully authenticated from 217.200.201.249. 
Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info 
INFO: Login was successful. 
Feb 09, 2015 7:38:33 PM org.slf4j.impl.JCLLoggerAdapter warn 
WARNING: Authentication attempt from 217.200.201.249 for user "null" failed. 
Feb 09, 2015 7:38:41 PM org.slf4j.impl.JCLLoggerAdapter warn 
WARNING: Authentication attempt from 217.200.201.249 for user "pippo" failed. 
Feb 09, 2015 7:38:42 PM org.slf4j.impl.JCLLoggerAdapter warn 
WARNING: Authentication attempt from 217.200.201.249 for user "pippo" failed. 
Feb 09, 2015 7:38:43 PM org.slf4j.impl.JCLLoggerAdapter warn 
WARNING: Authentication attempt from 217.200.201.249 for user "pippo" failed. 
Feb 09, 2015 8:08:31 PM org.slf4j.impl.JCLLoggerAdapter warn 
WARNING: Authentication attempt from 151.52.140.102 for user "null" failed. 
Feb 09, 2015 8:08:40 PM org.slf4j.impl.JCLLoggerAdapter warn 
WARNING: Authentication attempt from 151.52.140.102 for user "null" failed. 
Feb 09, 2015 8:08:44 PM org.slf4j.impl.JCLLoggerAdapter warn 
WARNING: Authentication attempt from 151.52.140.102 for user "null" failed. 
Feb 09, 2015 8:08:49 PM org.slf4j.impl.JCLLoggerAdapter warn 
WARNING: Authentication attempt from 151.52.140.102 for user "null" failed. 
Feb 09, 2015 8:08:53 PM org.slf4j.impl.JCLLoggerAdapter warn 
WARNING: Authentication attempt from 151.52.140.102 for user "null" failed. 

guacamole generate null login by itself on every page load so I want fail2ban 
to ignore them. 

This is fail2ban-regex output: 

Running tests 
============= 

Use failregex file : /etc/fail2ban/filter.d/guacamole.conf 
Use maxlines : 2 
Use log file : /var/log/tomcat6/catalina.2015-02-09.log 
Use encoding : UTF-8 


Results 
======= 

Failregex: 129 total 
|- #) [# of hits] regular expression 
| 1) [129] ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" 
failed\.$ 
`- 

Ignoreregex: 0 total 

Date template hits: 
|- [# of hits] date format 
| [134] MON Day, Year 12hour:Minute:Second AMPM 
`- 

Lines: 268 lines, 0 ignored, 258 matched, 10 missed [processed in 0.13 sec] 
|- Missed line(s): 
| Feb 09, 2015 6:15:04 PM org.slf4j.impl.JCLLoggerAdapter info 
| INFO: Reading user mapping file: /etc/guacamole/user-mapping.xml 
| Feb 09, 2015 7:14:28 PM org.slf4j.impl.JCLLoggerAdapter info 
| INFO: User "cristian" successfully authenticated from 95.226.42.86. 
| Feb 09, 2015 7:14:28 PM org.slf4j.impl.JCLLoggerAdapter info 
| INFO: Login was successful. 
| Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info 
| INFO: User "cristian" successfully authenticated from 217.200.201.249. 
| Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info 
| INFO: Login was successful. 
`- 

as you can see user "null" lines are not ignored. 

I'm using fail2ban 0.9.1 on ubuntu server. 

Thanks in advance for any help. 

------------------------------------------------------------------------------ 
Dive into the World of Parallel Programming. The Go Parallel Website, 
sponsored by Intel and developed in partnership with Slashdot Media, is your 
hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials and more. Take a 
look and join the conversation now. http://goparallel.sourceforge.net/ 
_______________________________________________ 
Fail2ban-users mailing list 
Fail2ban-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/fail2ban-users 




------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to