On 2024-03-06 05:54, Jason Long wrote:
> Thanks.
> I need this strategy for SSH service.
>
Change the port number(s).
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2
ot; have to be doubled in the conf files (I
have seen it both ways)?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
--
Check out the vibrant tech community on one of the world's most
engaging te
On 07/23/2018 10:28 PM, Philip James Clarke wrote:
> So all you need to do is add
> enabled=true
> under [ASSP]
>
Ah! So simple. Thank you.
--
James Moe
moe dot james at sohnen-moe dot com
520.74
{'matches': [['',
'08/06/2018-03:18:18', '.891064 [Drop] [**] [1:2220008:1] SURICATA SMTP
data command rejected [**] [Classification: Generic Protocol Command
Decode] [Priority: 3] {TCP} 192.168.69.246:25 ->
106.198.116.73:16769']], 'failures': 1, 'ip
Status for the jail: suricata
|- Filter
| |- Currently failed: 111
| |- Total failed: 1883
| `- File list:/data01/var/log/suricata/fast.log
`- Actions
|- Currently banned: 400
|- Total banned: 412
----[ end ]
--
James Moe
moe dot james at sohnen-moe dot co
On 08/24/2018 12:21 PM, Wayne Sallee wrote:
> Maybe it's finding it in firewall logs?
>
The only jails enabled are "assp" and "suricata."
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
-
26 11:40:47,031 fail2ban.filter [25601]: INFO[assp]
Found 200.29.108.214 - 2018-08-26 11:40:46
2018-08-26 14:39:45,487 fail2ban.actions[25601]: NOTICE [assp]
Unban 200.29.108.214
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
--
or account name
----[ end ]
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
On 9/30/18 11:01 AM, James Moe via Fail2ban-users wrote:
> It does not appear that fail2ban is actually banning IP addresses.
> Below are (I hope) relevant data.
>
There is also this filter:
[Definition]
__assp_actions = (?:dropping|refusing)
# Capture failed logins
On 9/30/18 11:01 AM, James Moe via Fail2ban-users wrote:
> It does not appear that fail2ban is actually banning IP addresses.
>
How do I ask iptables what is banned by fail2ban?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
On 9/30/18 4:35 PM, James Moe via Fail2ban-users wrote:
> How do I ask iptables what is banned by fail2ban?
>
Found it:
$ iptables --list-rules f2b-assp
And here is the entry for the example IP:
-A f2b-assp -s 185.36.81.145/32 -j REJECT --reject-with
icmp-port-unreachable
I have f
n.actions[16451]: WARNING [assp]
185.36.81.145 already banned
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo
ata] 104.161.36.178 already banned
From the proxy log: A connection that should not have happened.
2018-10-02_10:50:42 [Worker_1] Connected: session:7F9011348CE0
104.161.36.178:21679 > 192.168.69.246:25 > 192.168.69.246:125
--
James Moe
mo
assp jail is not effective.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
On 9/30/18 11:01 AM, James Moe via Fail2ban-users wrote:
> The issue, then, is that the actual banning part is not happening.
> Where have I gone awry?
>
The purpose of commissioning fail2ban is to reduce the load on
suricata, an intrusion prevention service; suricata is the
20d4rk;%20chmod%20777%20d4rk;%20sh%20d4rk)&password=admin
> HTTP/1.1"
>
Without a source IP address for the , there is no regex to match
the given text.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail
On 11/02/2019 12.49 AM, Tonny Oitp wrote:
> In the /var/log/fail2ban.log I get the error
>
It does not like the date format.
What are your filter rules?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban
On 11/02/2019 1.06 PM, tonny wrote:
> # Fail2Ban filter lighttpd//
> #
>
Try adding this:
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2
expressions are evaluated. Maybe even Fail2ban.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
%M:%%S
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
On 12/06/2019 12.00 AM, Tom Hendrikx wrote:
> The first failure line has ":" after the ip adress, but the second
> line hasn't, but your regex requires the colon. Remove the requirement
> for the colon and you're good.
>
Quite so.
Thank you.
--
James Moe
On 29/07/2019 5.30 PM, Bill Shirley wrote:
> Indeed, not only I need to ban on the source IP, but also on the source port.
> My log files entries exposes this in a pretty standard form : src_ip:port
>
> Is this feasible at all with f2b ?
>
...\:port_number...
--
James Moe
m
> I do not understand, if I've banned an IP why they're still getting through?
>
"Already banned" implies that the IP is banned on another port.
Have you changed your filter to ban the new port?
Did you unban all of the previously banned standard SSH port IPs?
', [['actionunban', ' -D f2b-suri-1 -s
-j '], ['actionflush', ' -F f2b-suri-1'],
['actionstop', ' -D INPUT -p udp --dport ssh -j
f2b-suri-1\n -F f2b-suri-1\n -X f2b-suri-1'],
['actionstart', ' -N f2b-suri-1\n -A f2b-suri
On 17/09/2019 1.35 PM, James Moe via Fail2ban-users wrote:
> [ jail ]
> [suricata-1]
> action = iptables[name=suri-1, protocol=udp]
> [ end ]
>
I realized it is missing a destination port number.
Changing the action to
action = iptables[name=suri-1, port=&qu
On 17/09/2019 1.35 PM, James Moe via Fail2ban-users wrote:
> When I attempt to start the jail, I receive
> $ fail2ban-client restart suricata-1
> 2019-09-17 13:12:55,019 fail2ban [12287]: ERROR NOK: ('suricata-1',)
> Sorry but the jail 'suricata-1' does not exi
is no change in the attack rate implying excellent CnC
and lots of IPs. iptables does not seem to find this troublesome.
So. Is this a case where fail2ban is not an especially useful solution
to the problem? Or are 1000s of blocked IPs not uncommon?
--
James Moe
moe dot james at sohnen-moe dot
On 2020-01-04 11:12 AM, Courtney Rosenthal wrote:
> I'm having a problem where legitimate mail (postfix) and imap (dovecot) users
> are getting blocked ... but let's just take dovecot right now.
>
What are your filters' regexes?
--
James Moe
moe dot james at sohnen-
seems
unnecessarily complicated, even allowing for combining a match to two similar
log entries.
Would this work as well?
^.* Disconnected \(no auth attempts .* rip=, .*$
^.* Aborted \(auth failed .* rip=, .*$
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
t appears to be a default entry for dovecot
filters. Is that why it is there?
If mdre-aggressive is a problem. remove it.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.source
, what they are for, what they do. It only shows a few examples of
usage.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/list
the date pattern in the log?
The "%" must be escaped in the .conf: %%.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
he actual log entry, the date pattern is:
datepattern = %%Y-%%m-%%d %%H:%%M:%%S
I am confused, though. Does the log entry you testing really begin with
"2020-03-08 05:58:44,167 fail2ban.filter"? If not, what is a sample of an entry,
only the entry, you are testing?
--
James Moe
m
On 2020-05-04 12:06 PM, Gao wrote:
> [Mon May 04 09:15:10.359034 2020] [:error] [pid 17835] [client
> 10.36.36.16:10513] LDAP - Bind user error 49 (Invalid credentials),
> referer: https://web.company.com/index.php
>
Try this:
^.*\[client.*\:.*\] LDAP - Bind user error 49.*
-
On 2020-05-08 2:54 PM, Doug Preston via Fail2ban-users wrote:
> May 7 03:12:05 mail postfix/smtpd[10156]: lost connection after EHLO
> from unknown[185.50.149.26]
^.*mail postfix/smtpd.* lost connection after EHLO from unknown\[\].*
--
James Moe
moe dot james at sohnen-moe d
s with this in it.
>
Provide samples of the lines that are not matching.
And your postfix.conf filter.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://l
xYear)?
`-
Lines: 5 lines, 0 ignored, 5 matched, 0 missed
[processed in 0.01 sec]
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
[Definition]
# but this is the section from postfix.conf with all the regex working
# except for the EHLO lines
# prefregex = ^%(__prefix_l
On 2020-05-14 12:04 PM, Doug Preston via Fail2ban-users wrote:
>> Lines: 5 lines, 0 ignored, 5 matched, 0 missed
>> [processed in 0.01 sec]
>>
> What version of fail2ban are you running? What OS, I am running Centos 7
>
Fail2Ban v0.10.4
opensuse LEAP 15.1
--
James Moe
ufficient?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
ly add them
>
I do not understand what you mean here. Manually? Then what, precisely, have
you tried?
So you did not try the postfix.conf I offered exactly as it was?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fa
Where may I find proper documentation for fail2ban? The wiki offers a blank
page for its manual.
Is the source code the only option?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban
t; failregex = ^%(pid)s \S+ %(host_info)sWarning:
> EXIM-SPAMMASSASSIN-EXCESSIVE-FAIL2BAN$
>
> It doesn't match :(
>
failregex = ^.* \[.*\] .* \[\]\:.* Warning:
EXIM-SPAMMASSASSIN-EXCESSIVE-FAIL2BAN?.
I do not know what command to use to get the PID. "%(pid)s" crashed
of IP addresses that are not to be banned?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
On 8/20/20 3:29 PM, James Moe via Fail2ban-users wrote:
> Is there a way to specify a range of IP addresses that are not to be banned?
>
Thank you Florian and James. That nicely does the job.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
On 8/21/20 11:28 AM, James Moe via Fail2ban-users wrote:
> Thank you Florian and James. That nicely does the job.
>
Urk. Thank you Florian and Dominic.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban
On 8/20/20 10:04 AM, James Moe via Fail2ban-users wrote:
> Where may I find proper documentation for fail2ban?
>
Really?
Either it is so obvious, or there are only bits and pieces?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
or in \"AUTH LOGIN\" .* I\=\[\]\:25 AUTH
command used when not advertised
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] Year-Month-Day 24hour:Minute:Second
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
--
James Moe
moe
On 10/16/20 10:13 AM, Dan Egli wrote:
> The I= address is MY ip.
>
Ah. I guessed incorrectly.
Also the "datepattern" was necessary.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users maili
a file in filter.d/exim.local.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
log entries only
"Found"? Or is there more? How often do the Found entries occur?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
On 10/23/20 8:47 AM, Tom via Fail2ban-users wrote:
> As you can see, postfix-sasl has no trouble banning. I'm running
> fail2ban-0.11.1-10.fc32.noarch. Any ideas how to track down this elusive
> problem?
>
List your jails and filters?
--
James Moe
moe dot james at s
On 12/19/20 3:51 PM, Dan Egli wrote:
> As an example, I have the following filter, among others, in my
> exim.local.conf file:
> fixed_login_exim4u authenticator failed for .*
>
Show us the jail conf and filter.
--
James Moe
moe dot james at sohnen-moe dot com
Have you tested your configuration with fail2ban-regex?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[# of hits] date format
| [6] Year-Month-Day 24hour:Minute:Second.Microseconds
`-
Lines: 6 lines, 0 ignored, 6 matched, 0 missed
[ end ]
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
ot;
>
> Could someone please either point me to some help with regex or help me get
> started on the regex.
>
Provide a sample log entry you want ignored, the jail conf, and the (cuurent)
filter conf.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
_
nt the exact text
that was matched in the regex; only that a match was found. Using the facility
at "debugex.com" fails to find a match.
It appears to be a defect in fail2ban.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
On 1/14/21 8:12 AM, Dan Mahoney (Gushi) wrote:
> We have a regex that "matches" but I watch fail2ban.log with "tail
> -F" and I watch match and match and match
> and not ban.
>
Show your jail and filter conf.
--
James Moe
moe dot james at sohne
ultiple log entries of an attack, and lists them all as an INFO. Then at
the end of the scan, the IP is banned.
Your f2b log shows f2b was restarted before the scan was finished. After the
restart, the scan continued and the IP was ultimately banned.
--
James Moe
moe dot james at sohne
b being
restarted part way, then banning an offending IP after the restart.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/
offered a solution on Dec 27, 2020. Not good enough?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
in the works.) Have you tried using a later version
of f2b?
> If you'd like more log samples, I can get you them.
>
I was interested in the time between scans. Does f2b really just stop,
ignoring the evidence? Or does it continually list discoveries without stopping?
--
James Moe
moe
On 1/19/21 1:10 AM, Dan Egli wrote:
> Thanks! I took your idea, modified it just a bit, and it works well
> enough now.
>
Excellent!
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
t 1/ssl.weechat/XX.XXX.XXX.X
> connected/authenticated
>
I do not see 3 failed logins here.
Do you have a fail2ban log output that shows it matched the target entries?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
_
fail2ban v0.10.4
Found in the log today:
2021-04-14 07:24:17,861 fail2ban.ipdns [31473]: WARNING Unable to find a
corresponding IP address for IP: [Errno -2] Name or service not known
It found a match to ... what? Could not find an IP address for an IP address?
--
James Moe
moe dot james at
.
I discovered (quite accidentally) that the test files *must* reside in
/etc/fail2ban/filter.d/ directory. The regex would not match when a "foreign"
file was indicated.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
o-smtp"
for jail in $jails
do
sudo fail2ban-client status $jail | grep -v "Banned IP list"
done
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.
ned: 45
|- Total banned: 46
[/aside]
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Helloo,
There has been no activity for weeks.
- Is the list still active?
- Has the list moved elsewhere?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
On 6/17/21 2:56 PM, Castillo Izquierdo, Javier wrote:
> It is active, at less I receive you message from the list
>
Okay. Thanks.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban
- 2021-07-11 16:15:31
2021-07-11 16:15:31,357 fail2ban.actions[10710]: WARNING [suricata-1]
65.205.231.167 already banned
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users
^.*\[1\:2030555\:.*\].*? \{UDP\}.*\-\> \:.*?
ignoreregex =
datepattern = %%m/%%d/%%Y-%%H:%%M:%%S
[ end ]
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourc
* 0.0.0.0/0
0.0.0.0/0NFQUEUE num 0 bypass
71262K 518M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0ctstate RELATED,ESTABLISHED
fail2ban is started before suricata to assure they process packets before
suricata.
--
James Moe
moe dot james at sohne
>
> I was wrong, the auth-worker failures are not being used in the ban. Is
> there anything I can change to enable the ban on this?
failregex = ^.*auth\-worker\(.*sql\(.*,,.*\)\: unknown user .*
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
_
ailed: 5
`- File list: /usr/local/bin/assp2/logs/maillog.txt
`- Actions
|- Currently banned: 17
|- Total banned: 17
`- Banned IP list: ...
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fa
- Total failed: 1938
`- File list: /usr/local/bin/assp2/logs/maillog.txt
- Actions
|- Currently banned: 6202
|- Total banned: 6444
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
p: 35.205.35.197 - - [01/Feb/2022:03:10:28 +]
> "GET / HTTP/1.1" 200 12778 "-" "Mozilla/5.0 (Windows NT 10.0; Win64;
> x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1.1.1.1/Safari
> /537.36": 1 Time(s)
>
What is the "failregex" for this
10:28 +] >> "GET / HTTP/1.1"
> 200 12778 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; >> x64)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1.1.1.1/Safari >>
> /537.36": 1 Time(s)
>
I also note there
On 2022-02-26 12:15, James Moe via Fail2ban-users wrote:
> Try adding this (the escaped "%" is necessary):
> datepattern = %%m/%%d/%%Y:%%H:%%M:%%S
>
Bzzt! Wrong. This one:
datepattern = %%d/%%m/%%Y:%%H:%%M:%%S
>
>> 35.205.35.197 - - [01/Feb/2022:03:10:
\- .*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] Day/MON/Year:24hour:Minute:Second
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]
[ end ]
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
_
ot;^\s*ERROR(\s*\|)?(\s+[\w+\.]+\w+\s+\|)?\s+AUTH method LOGIN failed
> from.*\s*$"
>
Change the regex to:
^\s*ERROR(\s*\|)?(\s+[\w+\.]+\w+\s+\|)?\s+AUTH method LOGIN failed
from.*\@\s*$
Note the addition of "\@".
--
James Moe
moe do
acter in regexes. In PERL
it is used to define an array.
So. Because of its specialness, it must be escaped.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
http
t
| [1] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.01 sec]
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
F
On 2022-03-07 11:45, James Moe via Fail2ban-users wrote:
> The vertical bar allows multi-line expressions. Below is a sample given the
> log entries you provided.
>
(Sigh.) Do not know what I was thinking. I apologize for the confusing, and
wrong, post.
--
James Moe
moe dot james
expression that ignores the log
entries with "127.0.0.1?"
The current regex is:
failregex = ^.*\[\] .* 334 VXNlcm5hbWU6.*
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@l
On 2023-03-22 14:03, Nick Howitt via Fail2ban-users wrote:
> Use an "ignoreregex = 127\.0\.0\.1" line.
>
That works! Thank you.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing lis
ignoreregex.
Cound this issue be possibly related to the "ignoreregex"?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/list
On 2023-03-30 10:37, James Moe via Fail2ban-users wrote:
> Cound this issue be possibly related to the "ignoreregex"?
>
Nope. I removed the ignoreregex rule. It made no difference to the failure to
match.
--
James Moe
moe dot james at sohnen-moe dot com
52
On 2023-03-30 10:37, James Moe via Fail2ban-users wrote:
> Fail2ban-regex matches the regex in the log files. Fail2ban itself does not.
>
I had thought a specific regex was failing to match. Further testing shows
that the whole jail acts as though it is disabled. "enabled = true&quo
On 2023-03-30 10:37, James Moe via Fail2ban-users wrote:
> Fail2ban-regex matches the regex in the log files. Fail2ban itself does not.
>
I found the problem. Yay.
The logfile the jail uses is a symbolic link. It is refreshed every night at
midnight. The target log file is re-created
]
do
sleep 10
done
txt="ln -s ${logfile_new} ${CGP_LINK}"
$txt
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
On 2023-04-17 08:27, Wayne Sallee via Fail2ban-users wrote:
> Why does fail2ban not match when fail2ban-regex does match?
> It makes fail2ban-regex almost useless.
>
Are you responding to another message?
Do you have a specific issue?
--
James Moe
moe dot james at sohnen-mo
the first
thing, and the third thing is worst of all. How do I fix it?"
Perhaps some detail? F2b version? Log entry sample? Regex?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-use
-n 100 /var/log/fail2ban.log
> 2023-04-19 11:13:58,417 fail2ban.server [3824]: INFO Reload finished.
>
> Never anything about test.
>
fail2ban-regex does not log its results to fail2ban.log. It does not log its
results anywhere.
--
James Moe
moe dot james at sohnen-moe
On 2023-04-20 06:12, Wayne Sallee via Fail2ban-users wrote:
> The fail2ban-regex showed all 8 lines matching, but the regular fail2ban jail
> [testing] showed no action, not even a
> "found" response.
>
There is no command "fail2ban jail ...".
--
James Moe
u mean fail2ban-server?
fail2ban records the last position in the log file that it read. This way f2b
does not need to scan to whole file every time it opens the log, it just moves
to the last read position. If the log file does appear to be new or changed, f2b
will find nothing new to test.
--
Jame
me of the log file for each test run.
- change the regex a little:
failregex = postfix.+ RCPT from unknown\[\]\: .+()
# Apr 16 11:00:07
datepattern = %%b %%d %%H:%%M:%%S
Adding the "RCPT from unknown" portion skips the first []'d number which is
not an IP.
--
James Moe
moe dot
me for each run.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
\d+ \S+\]\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?:
> )?(?:pam_unix(?:\(dovecot:auth\))?:
> |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?(?P.+)$
> `-
Would you show us "dovecot.conf"? I do not see where there is a regex for
"unknown user.&q
ress.
You could try adding the following to the failregex:
^.*auth-worker.* sql\(support,\)\: unknown user
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https:
On 2023-05-19 13:49, François Patte wrote:
> # fail2ban-regex --print-all-missed /var/log/fail2ban.log
> /etc/fail2ban/filter.d/apache-proxy.conf
>
You are testing fail2ban's log file. Shouldn't that be an apache log?
--
James Moe
moe dot james at sohnen-moe dot com
1 - 100 of 107 matches
Mail list logo
