Thanks for the reply Denny,

I have followed the recommendations provided by the post (I really tought that adding the timer to the python source code of fail2ban-client) would have do the trick but I am stuck with the same behavior again and again.

Moreover, I have removed all the jails except the vsftpd one to test.  Same thing.

Just so you guys don't think I am inventing things, here is the log after a fail2ban restart:

2013-12-06 13:02:36,388 fail2ban.server : INFO   Exiting Fail2ban
2013-12-06 13:02:37,993 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban for Fail2ban v0.8.10
2013-12-06 13:02:38,094 fail2ban.jail   : INFO   Creating new jail 'vsftpd'
2013-12-06 13:02:38,096 fail2ban.jail   : INFO   Jail 'vsftpd' uses Gamin
2013-12-06 13:02:38,112 fail2ban.jail   : INFO   Initiated 'gamin' backend
2013-12-06 13:02:38,315 fail2ban.filter : INFO   Added logfile = /mnt/syslog/10.1.0.6/vsftpd.log
2013-12-06 13:02:38,417 fail2ban.filter : INFO   Set maxRetry = 2
2013-12-06 13:02:38,923 fail2ban.filter : INFO   Set findtime = 600
2013-12-06 13:02:39,024 fail2ban.actions: INFO   Set banTime = 1000
2013-12-06 13:02:40,949 fail2ban.jail   : INFO   Jail 'vsftpd' started

We can see that the vsftpd jail has been enabled at 13:02:40

Here is my attempt a bit later at 13:02:49 :

[root@gw fail2ban]# tail -n1 /mnt/syslog/10.1.0.6/vsftpd.log
Dec  6 13:02:49 ara vsftpd[8113]: [yan] FAIL LOGIN: Client "69.70.217.78"

Then the result:

[root@gw fail2ban]# fail2ban-client status vsftpd
Status for the jail: vsftpd
|- filter
|  |- File list:    /mnt/syslog/10.1.0.6/vsftpd.log
|  |- Currently failed:    0
|  `- Total failed:    0
`- action
   |- Currently banned:    0
   |  `- IP list:   
   `- Total banned:    0


Please note that in the same jail.local exists the default ssh jail and if I do the same thing (using ssh of course), I can see the "Currently failed" property being incremented.


On 13-12-06 12:44 PM, Denny Jones wrote:
I had the same issues and found this:

http://lists.centos.org/pipermail/centos/2012-June/126860.html

The steps in that article got my CentOS install to work.

Hope this helps.




-----Original Message-----
From: Yan Hudon <yan@jaguar-tech.com>
To: fail2ban-users <fail2ban-users@lists.sourceforge.net>
Sent: Fri, Dec 6, 2013 10:21 am
Subject: [Fail2ban-users] Fail2ban partially working

Hi,

I've set up fail2ban on a centos server and everything is working fine for my ssh jail (i am receiving alerts and shorewall is banning ips) but somehow, my 2 others, vsftpd and smtp, are processed (I can that they are by monitoring the log upon startup) but never seems to notice any failed logging attempt thus, never taking actions.

I have used fail2ban-regex to be sure that my regex were good and they are.

For example, let's take my vsftpd jail :

jail status (it never changes)

[root@gw fail2ban]# fail2ban-client status vsftpd6
Status for the jail: vsftpd6
|- filter
|  |- File list:    /mnt/syslog/10.1.0.6/vsftpd.log
|  |- Currently failed:    0
|  `- Total failed:    0
`- action
   |- Currently banned:    0
   |  `- IP list:   
   `- Total banned:    0


jail.local content

[vsftpd6]

enabled = true
filter = vsftpd
action = shorewall
               sendmail-whois[name=VSFTPD, dest=it@jaguar-tech.com]
logpath = /mnt/syslog/10.1.0.6/vsftpd.log
maxretry = 2
bantime = -1

vsftpd filter regex

failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
            \[.+\] FAIL LOGIN: Client "<HOST>"\s*$

Sample of the vsftpd logfile

[root@gw fail2ban]# tail /mnt/syslog/10.1.0.6/vsftpd.log
Dec  6 10:10:44 ara vsftpd[3673]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:13:26 ara vsftpd[3763]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:22:03 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:22:51 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:25:24 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:25:29 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:35:05 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:35:47 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:38:02 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:47:16 ara vsftpd[4622]: [yan] FAIL LOGIN: Client "24.100.220.57"

fail2ban-regex results

fail2ban-regex /mnt/syslog/10.1.0.6/vsftpd.log '\[.+\] FAIL LOGIN: Client "<HOST>"\s*$'

Date template hits:
723 hit(s): MONTH Day Hour:Minute:Second

Success, the total number of match is 308

I've been searching for hours but cannot find anything.

Any help will be appreciated.


------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users