Exactly what I meant with my "3rd arg" reply. :)
On Feb 9, 2015 5:54 PM, "Michael Monette" <mmone...@2keys.ca> wrote:
> You aren't including the ignoreregex argument with this:
>
> fail2ban-regex -v /var/log/tomcat6/catalina.2015-02-09.log
> /etc/fail2ban/filter.d/guacamole.conf
>
> If the ignoreregex and the failregex are both in your guacamole.conf, the
> command is this:
>
> fail2ban-regex -v /var/log/tomcat6/catalina.2015-02-09.log
> /etc/fail2ban/filter.d/guacamole.conf /etc/fail2ban/failter.d/guacamole.conf
>
> Notice the /etc/fail2ban/filter.d/guacamole.conf is written twice in the
> command. That should do it.
>
> Mike
>
> ----- Original Message -----
> From: "Cristiano Nuzzo" <crinu...@gmail.com>
> To: fail2ban-users@lists.sourceforge.net
> Sent: Monday, February 9, 2015 3:48:45 PM
> Subject: Re: [Fail2ban-users] can't make ignoreregex working
>
>
>
> his is a copy/paste of my terminal windows, thanks in advance
>
>
>
>
> pippo@faxservernew:~$ fail2ban-regex -v
> /var/log/tomcat6/catalina.2015-02-09.log
> /etc/fail2ban/filter.d/guacamole.conf
>
>
>
>
> Running tests
>
> =============
>
>
>
>
> Use failregex file : /etc/fail2ban/filter.d/guacamole.conf
>
> Use maxlines : 2
>
> Use log file : /var/log/tomcat6/catalina.2015-02-09.log
>
> Use encoding : UTF-8
>
>
>
>
>
>
>
> Results
>
> =======
>
>
>
>
> Failregex: 129 total
>
> |- #) [# of hits] regular expression
>
> | 1) [129] ^.*\nWARNING: Authentication attempt from <HOST> for user
> "[^"]*" failed\.$
>
> | 95.226.42.86 Mon Feb 09 18:14:57 2015
>
> | 95.226.42.86 Mon Feb 09 18:15:04 2015
>
> | 95.226.42.86 Mon Feb 09 18:15:08 2015
>
> | 95.226.42.86 Mon Feb 09 18:15:11 2015
>
> | 95.226.42.86 Mon Feb 09 18:15:13 2015
>
> | 95.226.42.86 Mon Feb 09 18:15:19 2015
>
> | 95.226.42.86 Mon Feb 09 18:15:22 2015
>
> | 95.226.42.86 Mon Feb 09 18:15:25 2015
>
> | 95.226.42.86 Mon Feb 09 18:22:42 2015
>
> | 95.226.42.86 Mon Feb 09 18:36:44 2015
>
> | 95.226.42.86 Mon Feb 09 18:36:48 2015
>
> | 95.226.42.86 Mon Feb 09 18:36:51 2015
>
> | 95.226.42.86 Mon Feb 09 18:36:53 2015
>
> | 95.226.42.86 Mon Feb 09 18:36:56 2015
>
> | 95.226.42.86 Mon Feb 09 18:37:00 2015
>
> | 95.226.42.86 Mon Feb 09 18:37:01 2015
>
> | 95.226.42.86 Mon Feb 09 18:37:03 2015
>
> | 95.226.42.86 Mon Feb 09 18:37:08 2015
>
> | 95.226.42.86 Mon Feb 09 18:37:15 2015
>
> | 95.226.42.86 Mon Feb 09 18:40:20 2015
>
> | 95.226.42.86 Mon Feb 09 18:40:22 2015
>
> | 95.226.42.86 Mon Feb 09 18:40:25 2015
>
> | 95.226.42.86 Mon Feb 09 18:40:28 2015
>
> | 95.226.42.86 Mon Feb 09 18:40:32 2015
>
> | 95.226.42.86 Mon Feb 09 18:40:34 2015
>
> | 95.226.42.86 Mon Feb 09 18:40:37 2015
>
> | 95.226.42.86 Mon Feb 09 18:40:40 2015
>
> | 95.226.42.86 Mon Feb 09 18:42:56 2015
>
> | 95.226.42.86 Mon Feb 09 18:44: 02 2015
>
> | 95.226.42.86 Mon Feb 09 18:44:03 2015
>
> | 95.226.42.86 Mon Feb 09 18:44:04 2015
>
> | 95.226.42.86 Mon Feb 09 18:44:05 2015
>
> | 95.226.42.86 Mon Feb 09 18:44: 06 2015
>
> | 95.226.42.86 Mon Feb 09 18:44:07 2015
>
> | 95.226.42.86 Mon Feb 09 18:44:07 2015
>
> | 95.226.42.86 Mon Feb 09 18:44:08 2015
>
> | 95.226.42.86 Mon Feb 09 18:44:09 2015
>
> | 95.226.42.86 Mon Feb 09 18:44:13 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:15 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:16 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:17 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:18 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:19 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:20 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:21 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:22 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:23 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:24 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:27 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:28 2015
>
> | 95.226.42.86 Mon Feb 09 18:46:31 2015
>
> | 95.226.42.86 Mon Feb 09 18:47:49 2015
>
> | 95.226.42.86 Mon Feb 09 18:48:09 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:42 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:44 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:46 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:48 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:52 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:55 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:56 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:56 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:57 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:58 2015
>
> | 95.226.42.86 Mon Feb 09 18:49:59 2015
>
> | 95.226.42.86 Mon Feb 09 18:51:57 2015
>
> | 95.226.42.86 Mon Feb 09 18:51:58 2015
>
> | 95.226.42.86 Mon Feb 09 18:51:59 2015
>
> | 95.226.42.86 Mon Feb 09 18:52:00 2015
>
> | 95.226.42.86 Mon Feb 09 18:52:01 2015
>
> | 95.226.42.86 Mon Feb 09 18:52:01 2015
>
> | 95.226.42.86 Mon Feb 09 18:52: 02 2015
>
> | 95.226.42.86 Mon Feb 09 18:52:04 2015
>
> | 95.226.42.86 Mon Feb 09 18:52:05 2015
>
> | 95.226.42.86 Mon Feb 09 18:52: 06 2015
>
> | 95.226.42.86 Mon Feb 09 18:52:07 2015
>
> | 95.226.42.86 Mon Feb 09 18:52:07 2015
>
> | 95.226.42.86 Mon Feb 09 18:53:58 2015
>
> | 95.226.42.86 Mon Feb 09 18:53:59 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:00 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:01 2015
>
> | 95.226.42.86 Mon Feb 09 18:54: 02 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:04 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:07 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:09 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:11 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:12 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:14 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:17 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:18 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:18 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:20 2015
>
> | 95.226.42.86 Mon Feb 09 18:54:22 2015
>
> | 95.226.42.86 Mon Feb 09 19:03:31 2015
>
> | 95.226.42.86 Mon Feb 09 19:03:32 2015
>
> | 95.226.42.86 Mon Feb 09 19:03:34 2015
>
> | 95.226.42.86 Mon Feb 09 19:03:35 2015
>
> | 95.226.42.86 Mon Feb 09 19:03:37 2015
>
> | 95.226.42.86 Mon Feb 09 19:03:39 2015
>
> | 95.226.42.86 Mon Feb 09 19:03:41 2015
>
> | 95.226.42.86 Mon Feb 09 19:13:54 2015
>
> | 95.226.42.86 Mon Feb 09 19:13:57 2015
>
> | 95.226.42.86 Mon Feb 09 19:13:59 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:00 2015
>
> | 95.226.42.86 Mon Feb 09 19:14: 02 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:33 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:36 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:37 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:38 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:39 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:40 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:41 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:42 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:42 2015
>
> | 95.226.42.86 Mon Feb 09 19:14:43 2015
>
> | 95.226.42.86 Mon Feb 09 19:33:31 2015
>
> | 95.226.42.86 Mon Feb 09 19:33:32 2015
>
> | 95.226.42.86 Mon Feb 09 19:33:34 2015
>
> | 95.226.42.86 Mon Feb 09 19:33:35 2015
>
> | 95.226.42.86 Mon Feb 09 19:33:37 2015
>
> | 217.200.201.249 Mon Feb 09 19:38:15 2015
>
> | 217.200.201.249 Mon Feb 09 19:38:33 2015
>
> | 217.200.201.249 Mon Feb 09 19:38:41 2015
>
> | 217.200.201.249 Mon Feb 09 19:38:42 2015
>
> | 217.200.201.249 Mon Feb 09 19:38:43 2015
>
> | 151.52.140.102 Mon Feb 09 20:08:31 2015
>
> | 151.52.140.102 Mon Feb 09 20:08:40 2015
>
> | 151.52.140.102 Mon Feb 09 20:08:44 2015
>
> | 151.52.140.102 Mon Feb 09 20:08:49 2015
>
> | 151.52.140.102 Mon Feb 09 20:08:53 2015
>
> `-
>
>
>
>
> Ignoreregex: 0 total
>
>
>
>
> Date template hits:
>
> |- [# of hits] date format
>
> | [134] MON Day, Year 12hour:Minute:Second AMPM
>
> | [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
>
> | [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day
> 24hour:Minute:Second(?:,Microseconds)?
>
> | [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
>
> | [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[
> :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
>
> | [0] Month/Day/Year:24hour:Minute:Second
>
> | [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
>
> | [0] TAI64N
>
> | [0] Epoch
>
> | [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone
> offset)?
>
> | [0] ^24hour:Minute:Second
>
> | [0] ^<Month/Day/Year2@24hour:Minute:Second>
>
> | [0] ^Year2MonthDay ?24hour:Minute:Second
>
> | [0] ^MON-Day-Year2 24hour:Minute:Second
>
> On Mon, Feb 9, 2015 at 9:40 PM, Arturo 'Buanzo' Busleiman <
> bua...@buanzo.com.ar > wrote:
>
>
>
> Please, show the complete command line for fail2ban-regex, which should
> include a 3rd argument.
>
>
> On Mon, Feb 9, 2015 at 5:35 PM, Cristiano Nuzzo < crinu...@gmail.com >
> wrote:
>
>
>
> Hi everybody, I'm using guacamole.conf to ban user that fails login,
>
> this is my guacamole.conf:
>
> #
> # Author: Steven Hiscocks
> #
>
> [Definition]
>
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> # Values: TEXT
> #
> failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user
> "[^"]*" fa
> iled\.$
>
> # Option: ignoreregex
> # Notes.: regex to ignore. If this regex matches, the line is ignored.
> # Values: TEXT
> #
>
> ignoreregex = user "null"
>
> and this is a tail of my log file:
>
> INFO: User "pippo" successfully authenticated from 217.200.201.249.
> Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info
> INFO: Login was successful.
> Feb 09, 2015 7:38:33 PM org.slf4j.impl.JCLLoggerAdapter warn
> WARNING: Authentication attempt from 217.200.201.249 for user "null"
> failed.
> Feb 09, 2015 7:38:41 PM org.slf4j.impl.JCLLoggerAdapter warn
> WARNING: Authentication attempt from 217.200.201.249 for user "pippo"
> failed.
> Feb 09, 2015 7:38:42 PM org.slf4j.impl.JCLLoggerAdapter warn
> WARNING: Authentication attempt from 217.200.201.249 for user "pippo"
> failed.
> Feb 09, 2015 7:38:43 PM org.slf4j.impl.JCLLoggerAdapter warn
> WARNING: Authentication attempt from 217.200.201.249 for user "pippo"
> failed.
> Feb 09, 2015 8:08:31 PM org.slf4j.impl.JCLLoggerAdapter warn
> WARNING: Authentication attempt from 151.52.140.102 for user "null" failed.
> Feb 09, 2015 8:08:40 PM org.slf4j.impl.JCLLoggerAdapter warn
> WARNING: Authentication attempt from 151.52.140.102 for user "null" failed.
> Feb 09, 2015 8:08:44 PM org.slf4j.impl.JCLLoggerAdapter warn
> WARNING: Authentication attempt from 151.52.140.102 for user "null" failed.
> Feb 09, 2015 8:08:49 PM org.slf4j.impl.JCLLoggerAdapter warn
> WARNING: Authentication attempt from 151.52.140.102 for user "null" failed.
> Feb 09, 2015 8:08:53 PM org.slf4j.impl.JCLLoggerAdapter warn
> WARNING: Authentication attempt from 151.52.140.102 for user "null" failed.
>
> guacamole generate null login by itself on every page load so I want
> fail2ban to ignore them.
>
> This is fail2ban-regex output:
>
> Running tests
> =============
>
> Use failregex file : /etc/fail2ban/filter.d/guacamole.conf
> Use maxlines : 2
> Use log file : /var/log/tomcat6/catalina.2015-02-09.log
> Use encoding : UTF-8
>
>
> Results
> =======
>
> Failregex: 129 total
> |- #) [# of hits] regular expression
> | 1) [129] ^.*\nWARNING: Authentication attempt from <HOST> for user
> "[^"]*" failed\.$
> `-
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [134] MON Day, Year 12hour:Minute:Second AMPM
> `-
>
> Lines: 268 lines, 0 ignored, 258 matched, 10 missed [processed in 0.13 sec]
> |- Missed line(s):
> | Feb 09, 2015 6:15:04 PM org.slf4j.impl.JCLLoggerAdapter info
> | INFO: Reading user mapping file: /etc/guacamole/user-mapping.xml
> | Feb 09, 2015 7:14:28 PM org.slf4j.impl.JCLLoggerAdapter info
> | INFO: User "cristian" successfully authenticated from 95.226.42.86.
> | Feb 09, 2015 7:14:28 PM org.slf4j.impl.JCLLoggerAdapter info
> | INFO: Login was successful.
> | Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info
> | INFO: User "cristian" successfully authenticated from 217.200.201.249.
> | Feb 09, 2015 7:38:30 PM org.slf4j.impl.JCLLoggerAdapter info
> | INFO: Login was successful.
> `-
>
> as you can see user "null" lines are not ignored.
>
> I'm using fail2ban 0.9.1 on ubuntu server.
>
> Thanks in advance for any help.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
