Home / Browse / Fail2Ban / Mail / Archive

Donate

Fail2Ban

Email Archive: fail2ban-users (read-only)

2005:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep (11)	_Oct (8)	_Nov (10)	_Dec (8)
2006:	_Jan (6)	_Feb (1)	_Mar (43)	_Apr (17)	_May (2)	_Jun (8)	_Jul (9)	_Aug (14)	_Sep (15)	_Oct (25)	_Nov (20)	_Dec (12)
2007:	_Jan (29)	_Feb (19)	_Mar (8)	_Apr (12)	_May (10)	_Jun (9)	_Jul (40)	_Aug (33)	_Sep (74)	_Oct (19)	_Nov (31)	_Dec (13)
2008:	_Jan (50)	_Feb (52)	_Mar (43)	_Apr (21)	_May (68)	_Jun (28)	_Jul (6)	_Aug (25)	_Sep (14)	_Oct (32)	_Nov (7)	_Dec (13)
2009:	_Jan (25)	_Feb (1)	_Mar (2)	_Apr (8)	_May (4)	_Jun (6)	_Jul (24)	_Aug (40)	_Sep (24)	_Oct (15)	_Nov (31)	_Dec (35)
2010:	_Jan (6)	_Feb (1)	_Mar (23)	_Apr (16)	_May (4)	_Jun (36)	_Jul (20)	_Aug (13)	_Sep (36)	_Oct (12)	_Nov (9)	_Dec (2)
2011:	_Jan (16)	_Feb (9)	_Mar (21)	_Apr (33)	_May (27)	_Jun (31)	_Jul (20)	_Aug (7)	_Sep (20)	_Oct (41)	_Nov (29)	_Dec (52)
2012:	_Jan (127)	_Feb (36)	_Mar (15)	_Apr (40)	_May (23)	_Jun (43)	_Jul (84)	_Aug (50)	_Sep (31)	_Oct (45)	_Nov (43)	_Dec (47)
2013:	_Jan (39)	_Feb (83)	_Mar (50)	_Apr (50)	_May (79)	_Jun (31)	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

[Fail2ban-users] How to use ignoreregex in a filter with fail2ban-regex?

From: Brent Gardner <brent.gardner@gm...> - 2011-10-28 22:07

Hello, list.

This is my first time using fail2ban and I'm trying to verify my 
understanding of the operation of a few things before I deploy on a 
production server.

I have a test machine where I've defined a filter that has 4 failregex 
conditions.  I'm using fail2ban-regex to test with a copy of a log file 
from my production server.  The output from fail2ban-regex shows my 4 
conditions under Failregex along with the number of hits per 
conditions.  The summary section shows the detected hosts.  The 
Ignoreregex section shows no data, just headings: Regular expressions, 
and Number of matches.

Testing has revealed that my conditions under failregex are hitting on 
some entries I'd rather they didn't hit on.  I'm trying to prevent this 
by putting in ignoreregex conditions, but no matter what I put in my 
entries seem to be ignored by fail2ban-regex.  They are never listed in 
the output under the Regular expressions heading under Ignoreregex, and 
they never hit on anything.  Googling for sample ignoreregex entries has 
been difficult, as most hits are for filter examples that have one or 
more conditions listed for failregex and contain a line that simply says 
"ignoreregex = ".

Is this the expected behavior of fail2ban-regex?

Can anyone point me to decent ignoreregex examples or more thorough 
documentation?

I'm using fail2ban v0.8.4 on CentOS v5.5 32-bit with python v2.4.3

Thanks.


Brent Gardner

Re: [Fail2ban-users] How to use ignoreregex in a filter with fail2ban-regex?

From: Yaroslav Halchenko <lists@on...> - 2011-10-29 01:22

Hello, seeker.

the easiest way to help would be to get those samples of files (log,
filter) -- are they stock filters? what entries you wouldn't like to be
matched etc

Cheers,

On Fri, 28 Oct 2011, Brent Gardner wrote:

> Hello, list.

> This is my first time using fail2ban and I'm trying to verify my 
> understanding of the operation of a few things before I deploy on a 
> production server.

-- 
=------------------------------------------------------------------=
Keep in touch                                     http://www.onerussian.com
Yaroslav Halchenko                 http://www.ohloh.net/accounts/yarikoptic

Re: [Fail2ban-users] How to use ignoreregex in a filter with fail2ban-regex?

From: Brent Gardner <brent.gardner@gm...> - 2011-11-01 18:18

Yaroslav Halchenko wrote:
> Hello, seeker.
>
> the easiest way to help would be to get those samples of files (log,
> filter) -- are they stock filters? what entries you wouldn't like to be
> matched etc
>
>   
My failregex entries appear to be good.  Expected content is detected 
and reported by fail2ban-regex.

Is fail2ban-regex currently broken in regard to ignoreregex? 

fail2ban-regex never reports any regex I put in the ignoreregex section 
and it never reports any hits for any regex I put in the ignoreregex 
section.

Very hard to find any examples or discussion for ignoreregex online.

Thanks.

Brent Gardner

Re: [Fail2ban-users] How to use ignoreregex in a filter with fail2ban-regex?

From: Tom Hendrikx <tom@wh...> - 2011-11-02 08:28

On 01/11/11 19:18, Brent Gardner wrote:
> Yaroslav Halchenko wrote:
>> Hello, seeker.
>>
>> the easiest way to help would be to get those samples of files (log,
>> filter) -- are they stock filters? what entries you wouldn't like to be
>> matched etc
>>
>>   
> My failregex entries appear to be good.  Expected content is detected 
> and reported by fail2ban-regex.
> 
> Is fail2ban-regex currently broken in regard to ignoreregex? 

No it is not broken. At least not until someone is able to investigate
further upon the apparent problem you are having, which is impossible
until you provide us with some examples ;)

> 
> fail2ban-regex never reports any regex I put in the ignoreregex section 
> and it never reports any hits for any regex I put in the ignoreregex 
> section.
> 

Please show us 3 things:
- the fail2ban filter config file you are using
- a log snippet that contains hits for both Regex and IgnoreRegex as set
in the above config file
- the commandline you use to test all of this, and which demonstrates
your problem

-- 
Regards,
	Tom

Re: [Fail2ban-users] How to use ignoreregex in a filter with fail2ban-regex?

From: Brent Gardner <brent.gardner@gm...> - 2011-11-02 19:03

Tom Hendrikx wrote:
> Please show us 3 things:
> - the fail2ban filter config file you are using
> - a log snippet that contains hits for both Regex and IgnoreRegex as set
> in the above config file
> - the commandline you use to test all of this, and which demonstrates
> your problem
>
>   

Tom-

Thanks for your reply.

Here's the contents of the fail2ban config file that I'm testing:

[Definition]

failregex = rblsmtpd: <HOST> .*: 451 Blocked
            CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> 
rcpt <.*> : client not allowed to relay
            CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt 
<.*> : not existing recipient
            .* rblsmtpd: <HOST>

ignoreregex = exch\.example\.local
              10\.0\.0\.79

Here's content from the log file:

@400000004eaace713b735664 tcpserver: status: 1/100
@400000004eaace713b73815c tcpserver: pid 25911 from 10.0.0.79
@400000004eaace713b7394e4 tcpserver: ok 25911 
smtp.example.com:10.10.10.6:25 exch.example.local:10.0.0.79::49737
@400000004eaace7710ad7a54 CHKUSER rejected relaying: from <::> remote 
<exchext.example.com:exch.example.local:10.0.0.79> rcpt 
<Example.OnTime.Automated.Reply@...> : client not allowed 
to relay
@400000004eaace7810b86f04 spamdyke[25911]: FILTER_OTHER response: "553 
sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser)"
@400000004eaace7810b899fc spamdyke[25911]: DENIED_OTHER from: (unknown) 
to: example.ontime.automated.reply@... origin_ip: 10.0.0.79 
origin_rdns: exch.example.local auth: (unknown) encryption: (none)
@400000004eaace7812d0d754 CHKUSER rejected relaying: from <::> remote 
<exchext.example.com:exch.example.local:10.0.0.79> rcpt 
<Example.OnTime.Automated.Reply@...> : client not allowed 
to relay
@400000004eaace7924cb9bec spamdyke[25911]: FILTER_OTHER response: "553 
sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser)"
@400000004eaace7924cbceb4 spamdyke[25911]: DENIED_OTHER from: (unknown) 
to: example.ontime.automated.reply@... origin_ip: 10.0.0.79 
origin_rdns: exch.example.local auth: (unknown) encryption: (none)
@400000004eaace7925e76c2c CHKUSER rejected relaying: from <::> remote 
<exchext.example.com:exch.example.local:10.0.0.79> rcpt 
<Example.OnTime.Automated.Reply@...> : client not allowed 
to relay
@400000004eaace7b0e2204e4 spamdyke[25911]: FILTER_OTHER response: "553 
sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser)"
@400000004eaace7b0e2204e4 spamdyke[25911]: DENIED_OTHER from: (unknown) 
to: example.ontime.automated.reply@... origin_ip: 10.0.0.79 
origin_rdns: exch.example.local auth: (unknown) encryption: (none)
@400000004eaace7b0fb00784 CHKUSER rejected relaying: from <::> remote 
<exchext.example.com:exch.example.local:10.0.0.79> rcpt 
<Example.OnTime.Automated.Reply@...> : client not allowed 
to relay
@400000004eaace7d09d02f24 spamdyke[25911]: FILTER_OTHER response: "553 
sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser)"
@400000004eaace7d09d05634 spamdyke[25911]: DENIED_OTHER from: (unknown) 
to: example.ontime.automated.reply@... origin_ip: 10.0.0.79 
origin_rdns: exch.example.local auth: (unknown) encryption: (none)
@400000004eaace7d0a155a2c tcpserver: end 25911 status 0
@400000004eaace7d0a155a2c tcpserver: status: 0/100

Here's the command line for running fail2ban-regex:

$ sudo fail2ban-regex /home/auser/log 
/etc/fail2ban/filter.d/qmt-dos-hosts.conf

Here's output:

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/qmt-dos-hosts.conf
Use log file   : /home/auser/log

Results
=======

Failregex
|- Regular expressions:
|  [1] rblsmtpd: <HOST> .*: 451 Blocked
|  [2] CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt 
<.*> : client not allowed to relay
|  [3] CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> 
: not existing recipient
|  [4] .* rblsmtpd: <HOST>
|
`- Number of matches:
   [1] 0 match(es)
   [2] 4 match(es)
   [3] 0 match(es)
   [4] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
    10.0.0.79 (Fri Oct 28 15:47:03 2011)
    10.0.0.79 (Fri Oct 28 15:47:04 2011)
    10.0.0.79 (Fri Oct 28 15:47:05 2011)
    10.0.0.79 (Fri Oct 28 15:47:07 2011)
[3]
[4]

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
72 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@...>

Success, the total number of match is 4

However, look at the above section 'Running tests' which could contain 
important
information.

Brent Gardner

Re: [Fail2ban-users] How to use ignoreregex in a filter with fail2ban-regex?

From: Brent Gardner <brent.gardner@gm...> - 2011-11-02 19:13

Brent Gardner wrote:
>
> Here's the command line for running fail2ban-regex:
>
> $ sudo fail2ban-regex /home/auser/log 
> /etc/fail2ban/filter.d/qmt-dos-hosts.conf
>
>
Turns out it works as expected if I call it like this:

$ sudo fail2ban-regex /home/auser/log 
/etc/fail2ban/filter.d/qmt-dos-hosts.conf 
/etc/fail2ban/filter.d/qmt-dos-hosts.conf


Thanks, all.  Sorry for the noise.


Brent Gardner

Re: [Fail2ban-users] How to use ignoreregex in a filter with fail2ban-regex?

From: Tom Hendrikx <tom@wh...> - 2011-11-02 19:27

On 02-11-11 20:13, Brent Gardner wrote:
> Brent Gardner wrote:
>>
>> Here's the command line for running fail2ban-regex:
>>
>> $ sudo fail2ban-regex /home/auser/log 
>> /etc/fail2ban/filter.d/qmt-dos-hosts.conf
>>
>>
> Turns out it works as expected if I call it like this:
> 
> $ sudo fail2ban-regex /home/auser/log 
> /etc/fail2ban/filter.d/qmt-dos-hosts.conf 
> /etc/fail2ban/filter.d/qmt-dos-hosts.conf
> 

Good to see you already found the problem. :)

Maybe nice to add is that fail2ban has a dedicated feature for
whitelisting trusted IPs from your jail, 'ignoreip' in jail.conf. This
is probably easier to maintain/read than an IgnoreRegex within the
filter file.

Regards,
	Tom

1 message has been excluded from this view by a project administrator.