Hi,

I've set up fail2ban on a centos server and everything is working fine for my ssh jail (i am receiving alerts and shorewall is banning ips) but somehow, my 2 others, vsftpd and smtp, are processed (I can that they are by monitoring the log upon startup) but never seems to notice any failed logging attempt thus, never taking actions.

I have used fail2ban-regex to be sure that my regex were good and they are.

For example, let's take my vsftpd jail :

jail status (it never changes)

[root@gw fail2ban]# fail2ban-client status vsftpd6
Status for the jail: vsftpd6
|- filter
|  |- File list:    /mnt/syslog/10.1.0.6/vsftpd.log
|  |- Currently failed:    0
|  `- Total failed:    0
`- action
   |- Currently banned:    0
   |  `- IP list:   
   `- Total banned:    0


jail.local content

[vsftpd6]

enabled = true
filter = vsftpd
action = shorewall
               sendmail-whois[name=VSFTPD, dest=it@jaguar-tech.com]
logpath = /mnt/syslog/10.1.0.6/vsftpd.log
maxretry = 2
bantime = -1

vsftpd filter regex

failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
            \[.+\] FAIL LOGIN: Client "<HOST>"\s*$

Sample of the vsftpd logfile

[root@gw fail2ban]# tail /mnt/syslog/10.1.0.6/vsftpd.log
Dec  6 10:10:44 ara vsftpd[3673]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:13:26 ara vsftpd[3763]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:22:03 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:22:51 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:25:24 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:25:29 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:35:05 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:35:47 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:38:02 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:47:16 ara vsftpd[4622]: [yan] FAIL LOGIN: Client "24.100.220.57"

fail2ban-regex results

fail2ban-regex /mnt/syslog/10.1.0.6/vsftpd.log '\[.+\] FAIL LOGIN: Client "<HOST>"\s*$'

Date template hits:
723 hit(s): MONTH Day Hour:Minute:Second

Success, the total number of match is 308

I've been searching for hours but cannot find anything.

Any help will be appreciated.