You can subscribe to this list here.
2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(11) |
Oct
(8) |
Nov
(10) |
Dec
(8) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2006 |
Jan
(6) |
Feb
(1) |
Mar
(43) |
Apr
(17) |
May
(2) |
Jun
(8) |
Jul
(9) |
Aug
(14) |
Sep
(15) |
Oct
(25) |
Nov
(20) |
Dec
(12) |
2007 |
Jan
(29) |
Feb
(19) |
Mar
(8) |
Apr
(12) |
May
(10) |
Jun
(9) |
Jul
(40) |
Aug
(33) |
Sep
(74) |
Oct
(19) |
Nov
(31) |
Dec
(13) |
2008 |
Jan
(50) |
Feb
(52) |
Mar
(43) |
Apr
(21) |
May
(68) |
Jun
(28) |
Jul
(6) |
Aug
(25) |
Sep
(14) |
Oct
(32) |
Nov
(7) |
Dec
(13) |
2009 |
Jan
(25) |
Feb
(1) |
Mar
(2) |
Apr
(8) |
May
(4) |
Jun
(6) |
Jul
(24) |
Aug
(40) |
Sep
(24) |
Oct
(15) |
Nov
(31) |
Dec
(35) |
2010 |
Jan
(6) |
Feb
(1) |
Mar
(23) |
Apr
(16) |
May
(4) |
Jun
(36) |
Jul
(20) |
Aug
(13) |
Sep
(36) |
Oct
(12) |
Nov
(9) |
Dec
(2) |
2011 |
Jan
(16) |
Feb
(9) |
Mar
(21) |
Apr
(33) |
May
(27) |
Jun
(31) |
Jul
(20) |
Aug
(7) |
Sep
(20) |
Oct
(41) |
Nov
(29) |
Dec
(52) |
2012 |
Jan
(127) |
Feb
(36) |
Mar
(15) |
Apr
(40) |
May
(23) |
Jun
(43) |
Jul
(84) |
Aug
(50) |
Sep
(31) |
Oct
(45) |
Nov
(43) |
Dec
(47) |
2013 |
Jan
(39) |
Feb
(83) |
Mar
(50) |
Apr
(50) |
May
(79) |
Jun
(87) |
Jul
(71) |
Aug
(41) |
Sep
(39) |
Oct
(81) |
Nov
(61) |
Dec
(74) |
2014 |
Jan
(76) |
Feb
(50) |
Mar
(45) |
Apr
(62) |
May
(59) |
Jun
(21) |
Jul
(93) |
Aug
(64) |
Sep
(53) |
Oct
(44) |
Nov
(37) |
Dec
(43) |
2015 |
Jan
(60) |
Feb
(72) |
Mar
(35) |
Apr
(50) |
May
(52) |
Jun
(89) |
Jul
(110) |
Aug
(94) |
Sep
(77) |
Oct
(82) |
Nov
(41) |
Dec
(26) |
2016 |
Jan
(42) |
Feb
(44) |
Mar
(26) |
Apr
(55) |
May
(26) |
Jun
(17) |
Jul
(63) |
Aug
(38) |
Sep
(43) |
Oct
(50) |
Nov
(45) |
Dec
(55) |
2017 |
Jan
(26) |
Feb
(29) |
Mar
(28) |
Apr
(40) |
May
(2) |
Jun
(16) |
Jul
(22) |
Aug
(21) |
Sep
(35) |
Oct
(47) |
Nov
(10) |
Dec
(15) |
2018 |
Jan
(18) |
Feb
(35) |
Mar
(71) |
Apr
(9) |
May
(39) |
Jun
(19) |
Jul
(14) |
Aug
(108) |
Sep
(5) |
Oct
(34) |
Nov
(24) |
Dec
(13) |
2019 |
Jan
(13) |
Feb
(19) |
Mar
(33) |
Apr
(11) |
May
(21) |
Jun
(61) |
Jul
(21) |
Aug
(80) |
Sep
(26) |
Oct
(10) |
Nov
(8) |
Dec
(4) |
2020 |
Jan
(26) |
Feb
(81) |
Mar
(31) |
Apr
(37) |
May
(52) |
Jun
(10) |
Jul
(47) |
Aug
(25) |
Sep
(63) |
Oct
(36) |
Nov
(19) |
Dec
(18) |
2021 |
Jan
(49) |
Feb
(11) |
Mar
(18) |
Apr
(21) |
May
(66) |
Jun
(8) |
Jul
(35) |
Aug
(30) |
Sep
(10) |
Oct
(31) |
Nov
(4) |
Dec
(23) |
2022 |
Jan
(1) |
Feb
(16) |
Mar
(34) |
Apr
(6) |
May
(2) |
Jun
|
Jul
(1) |
Aug
(17) |
Sep
(1) |
Oct
(2) |
Nov
(4) |
Dec
(16) |
2023 |
Jan
(10) |
Feb
(39) |
Mar
(7) |
Apr
(44) |
May
(17) |
Jun
(20) |
Jul
|
Aug
(2) |
Sep
(10) |
Oct
(7) |
Nov
(3) |
Dec
(3) |
2024 |
Jan
(1) |
Feb
(10) |
Mar
(8) |
Apr
(1) |
May
(19) |
Jun
(15) |
Jul
(3) |
Aug
(5) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
From: Brandon G <br...@co...> - 2024-09-22 18:28:59
|
Rocky9/enterprise linux; Fail2Ban v1.0.2 Error logged on startup with systemd: > Failed during configuration: Have not found any log file for > nginx-http-auth jail But if I stop the service and start it by hand (based on the `ExecStart=/usr/bin/fail2ban-server -xf start` from fail2ban.service), it works. Log says: > 2024-09-22 18:06:40,458 fail2ban.jail [32660]: INFO > Creating new jail 'nginx-http-auth' > 2024-09-22 18:06:40,458 fail2ban.jail [32660]: INFO Jail > 'nginx-http-auth' uses poller {} > 2024-09-22 18:06:40,458 fail2ban.jail [32660]: INFO > Initiated 'polling' backend > 2024-09-22 18:06:40,464 fail2ban.filter [32660]: INFO > maxRetry: 5 > 2024-09-22 18:06:40,464 fail2ban.filter [32660]: INFO > findtime: 1800 > 2024-09-22 18:06:40,464 fail2ban.actions [32660]: INFO > banTime: 345600 > 2024-09-22 18:06:40,465 fail2ban.filter [32660]: INFO > encoding: UTF-8 > 2024-09-22 18:06:40,465 fail2ban.filter [32660]: INFO Added > logfile: '/var/log/nginx/error.log' (pos = 198563, hash = > 5b0439e3ff29925ce4d5aef82cb8d0767440a0d8) What I don't understand is why it would behave differently when started with systemd vs by hand. I haven't changed any configs between doing this. I have even tried to hardwire it in jail.local, but every time I start it with systemd it seems to ignore the backend settings: > [nginx-http-auth] > enabled = true > backend = polling > journalmatch = So I'm kindof at a loss. What would be allowing systemd to just completely steamroll the jail.local configs? Any help is greatly appreciated. -Brandon (PS, is there a discord server or something somewhere for this project?) |
From: L. V. L. <lv...@om...> - 2024-08-14 19:39:53
|
On Wed, 14 Aug 2024, Harold Hallikainen via Fail2ban-users wrote: > THANKS! I could not find that in any of the documentation (but I may have > missed it). My server is getting swamped causing a whole lot of php-fpm to > run. > Harold, Don't forget the old standby: iptables -I INPUT -s <malicious IP> -j DROP Block an IP until the next reboot (which will clear any transient rules). I use regularly when one of our websites is getting sucked by a bot. Lee |
From: Harold H. <ha...@ha...> - 2024-08-14 18:28:35
|
On Wed, August 14, 2024 2:17 am, Aldo Necci wrote: > On Tue, August 13, 2024 00:54, Harold Hallikainen via Fail2ban-users > wrote: >> When I use fail2ban-client to ban a specific IP, I usually see a 0 or 1 >> response. I have not been able to find the meaning of this in the >> documentation. What do these responses mean? >> >> THANKS! >> >> Harold >> >> > > Hi, > > if you receive a "1" output, the IP is regulairly banned because > it was not banned before, it was not present in the fail2ban's database. > > if you receive a "0" output the IP was previously banned and no action is > required. > > bye, > Aldo Necci THANKS! I could not find that in any of the documentation (but I may have missed it). My server is getting swamped causing a whole lot of php-fpm to run. I am now running a script every minute that restarts php-fpm if the server load is over 50%. A major source of the load appears to be ByteDance, so another daily script blocks all IP addresses with the ByteDance bot. Next in line appears to be Amazon Web Services. I'm working on blocking them. Harold -- Not sent from an iPhone. |
From: Aldo N. <ne...@in...> - 2024-08-14 09:36:06
|
On Tue, August 13, 2024 00:54, Harold Hallikainen via Fail2ban-users wrote: > When I use fail2ban-client to ban a specific IP, I usually see a 0 or 1 > response. I have not been able to find the meaning of this in the > documentation. What do these responses mean? > > THANKS! > > Harold > > Hi, if you receive a "1" output, the IP is regulairly banned because it was not banned before, it was not present in the fail2ban's database. if you receive a "0" output the IP was previously banned and no action is required. bye, Aldo Necci ----------------------------------------- This email was sent using SquirrelMail. https://webmail3.inf.uniroma3.it Web Site: http://www.squirrelmail.org |
From: Tim B. <ti...@bo...> - 2024-08-13 12:47:44
|
Hello! Am Montag, dem 12.08.2024 um 15:54 -0700 schrieb Harold Hallikainen via Fail2ban-users: > When I use fail2ban-client to ban a specific IP, I usually see a 0 > or 1 response. I see those when unbanning a specific address. The answer of "1" means that the address was found in my ruleset and unbanned. "0" means the address could not be found and was not unbanned. Hope this helps! Cheers, tim -- There is no character, howsoever good and fine, but it can be destroyed by ridicule, howsoever poor and witless. Observe the ass, for instance: his character is about perfect, he is the choicest spirit among all the humbler animals, yet see what ridicule has brought him to. Instead of feeling complimented when we are called an ass, we are left in doubt. -- Mark Twain, "Pudd'nhead Wilson's Calendar" |
From: Harold H. <ha...@ha...> - 2024-08-13 00:05:31
|
When I use fail2ban-client to ban a specific IP, I usually see a 0 or 1 response. I have not been able to find the meaning of this in the documentation. What do these responses mean? THANKS! Harold -- Not sent from an iPhone. |
From: Marco M. <mm...@do...> - 2024-07-26 08:45:02
|
Hello! I use firewallcmd-ipset as action and the ipset will be created and listed by ipset list. Although, it is not listed in firewall-cmd --get-ipsets What happens here? -- kind regards Marco |
From: vom513 <vo...@gm...> - 2024-07-14 18:16:20
|
Hello all, Been really pulling my hair on out on this one. A bit of background… I’m running Debian 12 on the machines in question. As some of you may be aware - in Debian 12 the default is that (nearly) all logs go to systemd journal - NOT /var/log/* So as such I’ve had to change my fail2ban configs to interface with this. On one machine, I’m looking at sshd, postfix-sasl and some other things. On this machine the bans/blocks work as well as being logged into the systemd journal: root@orbital:/etc/fail2ban# journalctl -u fail2ban | grep -w Ban | wc -l 20 On another machine, I really only care about openvpn. As openvpn doesn’t seem to have an included filter with fail2ban (at least on Debian 12), I am using these instructions: https://gist.github.com/drmalex07/463e4c7356bcfb2b3d21ff9fdc5aa6b3 My jail.local definition is: [openvpn] enabled = true port = 11194 protocol = udp filter = openvpn maxretry = 5 I have one success and two problems with this setup. The success is that it actually blocks - great ! The two problems (might be related ? hence me posting here…): - NOTICE [openvpn] Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. I get this as it’s sucking in the whole journal by default. However no amount of journalmatch etc that I have tried seems to work to avoid this. - Even though the bans are working, they are logged to /var/log/fail2ban.log - NOT into systemd journal. On my other machine as listed as above - I get the bans as well as the logs into the journal. On that machine I have the global backend set to systemd, but my sshd jail also has: backend = %(sshd_backend)s I don’t have anything like that for openvpn. Dunno if that is a cause or a red herring. Would greatly appreciate any help on this. Thanks. |
From: Marco M. <mm...@do...> - 2024-07-05 17:09:59
|
Hello! I want to use firewalld-ipset and log it to dmesg. Only firewallcmd-ipset works fine, but if I add the logging, the commands will fail. banaction = firewallcmd-ipset firewallcmd-rich-logging 2024-07-05 17:52:23,585 fail2ban.utils [268930]: ERROR ffff84c29930 -- exec: ports="0:65535"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='92.249.48.197' port port='$p' protocol='tcp' log prefix='f2b-rslight' level='info' limit value='1/m' reject type='icmp-admin-prohibited'"; done $p isn't resolved to the port definition. Is that a fault of my configuration or anything else? root@pi-dach:~# grep -v '^#\|^$' /etc/fail2ban/action.d/firewallcmd-rich-logging.conf [INCLUDES] before = firewallcmd-rich-rules.conf [Definition] rich-suffix = log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype> [Init] level = info rate = 1 root@pi-dach:~# root@pi-dach:~# grep -v '^#\|^$' /etc/fail2ban/action.d/firewallcmd-ipset.conf [INCLUDES] before = firewallcmd-common.conf [Definition] actionstart = <ipstype_<ipsettype>/actionstart> firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype> actionflush = <ipstype_<ipsettype>/actionflush> actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype> <actionflush> <ipstype_<ipsettype>/actionstop> actionban = <ipstype_<ipsettype>/actionban> actionunban = <ipstype_<ipsettype>/actionunban> [ipstype_ipset] actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt> actionflush = ipset flush <ipmset> actionstop = ipset destroy <ipmset> actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime> actionunban = ipset -exist del <ipmset> <ip> [ipstype_firewalld] actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip --option=timeout=<default-ipsettime> <firewalld_familyopt> actionflush = actionstop = firewall-cmd --direct --delete-ipset=<ipmset> actionban = firewall-cmd --ipset=<ipmset> --add-entry=<ip> actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip> [Init] chain = INPUT_direct default-ipsettime = 0 ipsettime = 0 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0) ipsettype = ipset actiontype = <multiport> allports = -p <protocol> multiport = -p <protocol> -m multiport --dports <port> ipmset = f2b-<name> familyopt = firewalld_familyopt = [Init?family=inet6] ipmset = f2b-<name>6 familyopt = family inet6 firewalld_familyopt = --option=family=inet6 root@pi-dach:~# -- kind regards Marco |
From: Alex <mys...@gm...> - 2024-06-18 15:37:30
|
Hi, > BTW, I can't crack it for the moment. >>> OK so this isn't going to be quite so neat. You need to add a line: >>> >>> ^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error; >>> >>> to the mdre-normal section. Generally the recommended way is to create a >>> postfix.local file, but this would need to contain: >>> >> >> This got mangled by gmail, but I was able to copy the postfix.conf to >> postfix.local and make it somewhat resemble what you pasted, and it appears >> to work. >> > > Actually, it works with fail2ban-regex but isn't catching them from the > live logs. > Fixed it. It turned out that even though syslog_mail in paths-fedora.conf was pointing to the proper maillog, it apparently wasn't being considered by the postfix.conf filter. I had to add logpath to my jail.conf: [postfix] filter = postfix maxretry = 1 bantime = 48h enabled = true mode = normal logpath = %(syslog_mail)s |
From: Nick H. <ni...@ho...> - 2024-06-17 09:38:32
|
On 17/06/2024 01:46, Alex wrote: > Hi, > > > BTW, I can't crack it for the moment. > OK so this isn't going to be quite so neat. You need to add a line: > > ^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error; > > to the mdre-normal section. Generally the recommended way is to > create a > postfix.local file, but this would need to contain: > > > This got mangled by gmail, but I was able to copy the postfix.conf to > postfix.local and make it somewhat resemble what you pasted, and it > appears to work. > > It's what I had also done originally, but had the formal wrong - I > thought it more replaced the postfix.conf rather than supplement it. > > mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s > ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ > > > I still don't understand the difference between mdre-* and mdpr-* :-( I struggled with that yesterday because I don't understand <F-CONTENT> > > Also, how does it match 'postscreen' when the prefix doesn't contain > that phrase? > _daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? The \w+ catches one or more letters/numbers/"a few other bits like _" so catches postscreen. I don't really see the point of (?:/smtp[ds])? as it is optional (the trailing ?). > prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$ I have not managed to decode this line, but it looks like the prefregex matches ^%(__prefix_line)s directly followed by the mdpr-* string. The ^%(__prefix_line)s matches the date, server and daemon strings. The failregex is mdre-<mode> which has to appear after the mdre-* string > > Thanks, > Alex > Someone with very detailed knowledge of regex has been playing a lot with this filter and it makes it hard to read. Why are there so many ^[]* and what do they mean? I am sure there is a much easier way of expressing it. Similarly there are many ?: and ?! which I think are OTT and make it harder to read. |
From: Alex <mys...@gm...> - 2024-06-17 02:04:17
|
> > BTW, I can't crack it for the moment. >> OK so this isn't going to be quite so neat. You need to add a line: >> >> ^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error; >> >> to the mdre-normal section. Generally the recommended way is to create a >> postfix.local file, but this would need to contain: >> > > This got mangled by gmail, but I was able to copy the postfix.conf to > postfix.local and make it somewhat resemble what you pasted, and it appears > to work. > Actually, it works with fail2ban-regex but isn't catching them from the live logs. Here's what I have in my jail.conf: [postfix] filter = postfix maxretry = 1 bantime = 48h enabled = true mode = normal I've also attached my whole postfix.conf here, just in case. |
From: Alex <mys...@gm...> - 2024-06-17 00:46:33
|
Hi, > BTW, I can't crack it for the moment. > OK so this isn't going to be quite so neat. You need to add a line: > > ^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error; > > to the mdre-normal section. Generally the recommended way is to create a > postfix.local file, but this would need to contain: > This got mangled by gmail, but I was able to copy the postfix.conf to postfix.local and make it somewhat resemble what you pasted, and it appears to work. It's what I had also done originally, but had the formal wrong - I thought it more replaced the postfix.conf rather than supplement it. mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s > ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ > I still don't understand the difference between mdre-* and mdpr-* :-( Also, how does it match 'postscreen' when the prefix doesn't contain that phrase? _daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$ Thanks, Alex |
From: Nick H. <ni...@ho...> - 2024-06-16 11:58:54
|
On 16/06/2024 09:33, Nick Howitt via Fail2ban-users wrote: > > On 16/06/2024 08:23, Nick Howitt via Fail2ban-users wrote: >> >> >> On 01/06/2024 09:29, Nick Howitt wrote: >>> >>> On 01/06/2024 00:59, Alex wrote: >>>> >>>> Hi, >>>> >>>> > Ideally, I'd like to not have to modify that regexp and be >>>> able to >>>> > add my own, much like what appears to be happening >>>> with mdre-errors. >>>> >>>> You don't have to. Append your own rules in a new line and test >>>> your >>>> changed rule file with >>>> >>>> fail2ban-regex /log/file postfix >>>> >>>> and it should reply with text output like >>>> >>>> >>>> Yes, I understand that - I suppose it's the actual details of doing >>>> that which I don't understand. >>>> >>>> What's the difference between the pr and re rules? For example: >>>> >>>> mdpr-errors = too many errors after \S+ >>>> mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ >>>> >>>> I'm assuming the re version is the regexp necessary just to capture >>>> the IP? >>>> >>>> So to add a new rule, I would simply copy this format with a new >>>> name, like: >>>> >>>> mdpr-proto = Protocol error; >>>> mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$ >>>> >>>> (One thing i never fixed was this: After editing my filter file, >>>> previously working regexes started failing, e. g. they didn't match >>>> any more - despite being unmodified.) >>>> >>>> >>>> Did you change the mode to no longer include those other regexes? >>>> mode = errors >>>> >>>> Or specific in the jail.conf? >>>> >>>> [postfix] >>>> filter = postfix[mode=aggressive] >>>> maxretry = 1 >>>> bantime = 48h >>>> enabled = true >>>> >>>> Thanks, >>>> Alex >>>> >>> I find the postfix filters really hard to follow, but as far as I >>> can see, if you go down your route, you then need to activate your >>> protocol filters by building them into something like >>> mdpr-extra/mdre-extra or have another jail just calling "mode=proto". >>> >>> Now, mdre-proto is already part of mdre-normal which seems to be >>> called by every filter so could be unnecessary. You could add a new >>> line to mdpr-normal if you wanted and your filter would work with >>> "mode = more", or you could adjust the mdpr-normal directly. Note >>> that to do an override, you generally leave the >>> filter.d/postfix.conf alone and create a filter.d/postfix.local. In >>> it you could put: >>> >>> [Definition] >>> mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too >>> many errors) after \S+) >>> Protocol error; >>> >>> Nick >> What are the log lines you are trying to match?Never mind. I've seen >> your followup. > > BTW, I can't crack it for the moment. OK so this isn't going to be quite so neat. You need to add a line: ^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error; to the mdre-normal section. Generally the recommended way is to create a postfix.local file, but this would need to contain: [Definition] mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b ^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b ^from [^[]*\[<HOST>\]%(_port)s:? ^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error; So you need to duplicate everything there then add your extra line. Nick |
From: Nick H. <ni...@ho...> - 2024-06-16 08:33:24
|
On 16/06/2024 08:23, Nick Howitt via Fail2ban-users wrote: > > > On 01/06/2024 09:29, Nick Howitt wrote: >> >> On 01/06/2024 00:59, Alex wrote: >>> >>> Hi, >>> >>> > Ideally, I'd like to not have to modify that regexp and be able to >>> > add my own, much like what appears to be happening >>> with mdre-errors. >>> >>> You don't have to. Append your own rules in a new line and test your >>> changed rule file with >>> >>> fail2ban-regex /log/file postfix >>> >>> and it should reply with text output like >>> >>> >>> Yes, I understand that - I suppose it's the actual details of doing >>> that which I don't understand. >>> >>> What's the difference between the pr and re rules? For example: >>> >>> mdpr-errors = too many errors after \S+ >>> mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ >>> >>> I'm assuming the re version is the regexp necessary just to capture >>> the IP? >>> >>> So to add a new rule, I would simply copy this format with a new >>> name, like: >>> >>> mdpr-proto = Protocol error; >>> mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$ >>> >>> (One thing i never fixed was this: After editing my filter file, >>> previously working regexes started failing, e. g. they didn't match >>> any more - despite being unmodified.) >>> >>> >>> Did you change the mode to no longer include those other regexes? >>> mode = errors >>> >>> Or specific in the jail.conf? >>> >>> [postfix] >>> filter = postfix[mode=aggressive] >>> maxretry = 1 >>> bantime = 48h >>> enabled = true >>> >>> Thanks, >>> Alex >>> >> I find the postfix filters really hard to follow, but as far as I can >> see, if you go down your route, you then need to activate your >> protocol filters by building them into something like >> mdpr-extra/mdre-extra or have another jail just calling "mode=proto". >> >> Now, mdre-proto is already part of mdre-normal which seems to be >> called by every filter so could be unnecessary. You could add a new >> line to mdpr-normal if you wanted and your filter would work with >> "mode = more", or you could adjust the mdpr-normal directly. Note >> that to do an override, you generally leave the filter.d/postfix.conf >> alone and create a filter.d/postfix.local. In it you could put: >> >> [Definition] >> mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many >> errors) after \S+) >> Protocol error; >> >> Nick > What are the log lines you are trying to match? > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users Never mind. I've seen your followup. BTW, I can't crack it for the moment. |
From: Nick H. <ni...@ho...> - 2024-06-16 07:23:41
|
On 01/06/2024 09:29, Nick Howitt wrote: > > On 01/06/2024 00:59, Alex wrote: >> >> Hi, >> >> > Ideally, I'd like to not have to modify that regexp and be able to >> > add my own, much like what appears to be happening >> with mdre-errors. >> >> You don't have to. Append your own rules in a new line and test your >> changed rule file with >> >> fail2ban-regex /log/file postfix >> >> and it should reply with text output like >> >> >> Yes, I understand that - I suppose it's the actual details of doing >> that which I don't understand. >> >> What's the difference between the pr and re rules? For example: >> >> mdpr-errors = too many errors after \S+ >> mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ >> >> I'm assuming the re version is the regexp necessary just to capture >> the IP? >> >> So to add a new rule, I would simply copy this format with a new >> name, like: >> >> mdpr-proto = Protocol error; >> mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$ >> >> (One thing i never fixed was this: After editing my filter file, >> previously working regexes started failing, e. g. they didn't match >> any more - despite being unmodified.) >> >> >> Did you change the mode to no longer include those other regexes? >> mode = errors >> >> Or specific in the jail.conf? >> >> [postfix] >> filter = postfix[mode=aggressive] >> maxretry = 1 >> bantime = 48h >> enabled = true >> >> Thanks, >> Alex >> > I find the postfix filters really hard to follow, but as far as I can > see, if you go down your route, you then need to activate your > protocol filters by building them into something like > mdpr-extra/mdre-extra or have another jail just calling "mode=proto". > > Now, mdre-proto is already part of mdre-normal which seems to be > called by every filter so could be unnecessary. You could add a new > line to mdpr-normal if you wanted and your filter would work with > "mode = more", or you could adjust the mdpr-normal directly. Note that > to do an override, you generally leave the filter.d/postfix.conf alone > and create a filter.d/postfix.local. In it you could put: > > [Definition] > mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many > errors) after \S+) > Protocol error; > > Nick What are the log lines you are trying to match? |
From: Alex <mys...@gm...> - 2024-06-16 02:09:42
|
> > >> I find the postfix filters really hard to follow, but as far as I can >> see, if you go down your route, you then need to activate your protocol >> filters by building them into something like mdpr-extra/mdre-extra or have >> another jail just calling "mode=proto". >> >> Now, mdre-proto is already part of mdre-normal which seems to be called >> by every filter so could be unnecessary. You could add a new line to >> mdpr-normal if you wanted and your filter would work with "mode = more", or >> you could adjust the mdpr-normal directly. Note that to do an override, you >> generally leave the filter.d/postfix.conf alone and create a >> filter.d/postfix.local. In it you could put: >> >> [Definition] >> mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many >> errors) after \S+) >> Protocol error; >> > > Adding the above did not work. Before I create a new filter that only > processes these events, do you have any other ideas on what I should do? > I should have repeated that I'm trying to modify the postfix filter to also identify these postscreen lines: Jun 15 22:00:00 xavier postfix-116/postscreen[1600704]: NOQUEUE: reject: RCPT from [72.18.139.104]:42495: 550 5.5.1 Protocol error; from=< web...@my...>, to=<sal...@ex...>, proto=SMTP, helo=<rdnsq98.mytrueguide.com> > > Thanks, > Alex > > |
From: Alex <mys...@gm...> - 2024-06-16 02:06:35
|
Hi, Finally able to get back to this.... On Sat, Jun 1, 2024 at 4:30 AM Nick Howitt via Fail2ban-users < fai...@li...> wrote: > > On 01/06/2024 00:59, Alex wrote: > > > Hi, > >> > Ideally, I'd like to not have to modify that regexp and be able to >> > add my own, much like what appears to be happening with mdre-errors. >> >> You don't have to. Append your own rules in a new line and test your >> changed rule file with >> >> fail2ban-regex /log/file postfix >> >> and it should reply with text output like >> > > Yes, I understand that - I suppose it's the actual details of doing that > which I don't understand. > > What's the difference between the pr and re rules? For example: > > mdpr-errors = too many errors after \S+ > mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ > > I'm assuming the re version is the regexp necessary just to capture the IP? > > So to add a new rule, I would simply copy this format with a new name, > like: > > mdpr-proto = Protocol error; > mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$ > > (One thing i never fixed was this: After editing my filter file, >> previously working regexes started failing, e. g. they didn't match >> any more - despite being unmodified.) > > > Did you change the mode to no longer include those other regexes? > mode = errors > > Or specific in the jail.conf? > > [postfix] > filter = postfix[mode=aggressive] > maxretry = 1 > bantime = 48h > enabled = true > > Thanks, > Alex > > I find the postfix filters really hard to follow, but as far as I can see, > if you go down your route, you then need to activate your protocol filters > by building them into something like mdpr-extra/mdre-extra or have another > jail just calling "mode=proto". > > Now, mdre-proto is already part of mdre-normal which seems to be called by > every filter so could be unnecessary. You could add a new line to > mdpr-normal if you wanted and your filter would work with "mode = more", or > you could adjust the mdpr-normal directly. Note that to do an override, you > generally leave the filter.d/postfix.conf alone and create a > filter.d/postfix.local. In it you could put: > > [Definition] > mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many > errors) after \S+) > Protocol error; > Adding the above did not work. Before I create a new filter that only processes these events, do you have any other ideas on what I should do? Thanks, Alex |
From: Tuxd00d <tu...@tu...> - 2024-06-14 19:06:32
|
I'm a long-time user of fail2ban, but my Python skills are still developing, and I’m not sure how to correct this: OS Version: Amazon Linux release 2023.4.20240611 (Amazon Linux) Source: https://github.com/fail2ban/fail2ban/archive/refs/tags/1.1.0.tar.gz Installed: sudo python3 setup.py install sudo cp build/fail2ban.service /etc/systemd/system sudo systemctl enable fail2ban.service sudo systemctl start fail2ban 'sudo systemctl status fail2ban.service' result: ... Process: 10984 ExecStart=/usr/local/bin/fail2ban-server -xf start (code=exited, status=1/FAILURE) ... ‘sudo journalctl -u fail2ban.service -b’ result: systemd[1]: Starting fail2ban.service - Fail2Ban Service... systemd[1]: Started fail2ban.service - Fail2Ban Service. fail2ban-server[10984]: Traceback (most recent call last): fail2ban-server[10984]: File "/usr/local/bin/fail2ban-server", line 34, in <module> fail2ban-server[10984]: from fail2ban.client.fail2banserver import exec_command_line, sys fail2ban-server[10984]: ModuleNotFoundError: No module named 'fail2ban' fail2ban.service: Main process exited, code=exited, status=1/FAILURE fail2ban.service: Failed with result 'exit-code'. Test: $ sudo /usr/local/bin/fail2ban-server -xf start Server ready $ fail2ban-python --version Python 3.9.16 $ python3 --version Python 3.9.16 $ whereis fail2ban-client fail2ban-client: /usr/local/bin/fail2ban-client I reviewed https://github.com/fail2ban/fail2ban/issues?q=ModuleNotFoundError but didn’t find a solution that seemed to help, but maybe I missed what I needed. Any advice is appreciated. — Tuxd00d |
From: Dudi G. <du...@ko...> - 2024-06-12 12:45:46
|
Hi, I don’t see logpath defined anywhere in your files. Regards, D. -----Original Message----- From: Marco Moock <mm...@do...> Sent: Wednesday, 12 June 2024 9:53 To: fai...@li... Subject: [Fail2ban-users] Found no accessible config files for filter, but exists Hello! I am trying to create a custom jail for a webserver. When restarting config file parsing fails. ERROR Found no accessible config files for 'filter.d/rslight-sql.conf' under /etc/fail2ban What causes this? root@pi-dach:~# cat /etc/fail2ban/jail.d/rslight.conf [rslight] enabled = true findtime = 1s maxretry = 1 filter= rslight-sql.conf banaction = firewallcmd-allports.conf root@pi-dach:~# cat /etc/fail2ban/filter.d/rslight-sql.conf [Definition] failregex = <HOST> .*GET .*SELECT%%20.*HTTP The file exists and can be read by everyone: -rw-r--r-- 1 root root 58 12. Jun 08:18 /etc/fail2ban/filter.d/rslight-sql.conf -- kind regards Marco _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Marco M. <mm...@do...> - 2024-06-12 10:58:07
|
Am 12.06.2024 um 08:52:46 Uhr schrieb Marco Moock: > filter= rslight-sql.conf > banaction = firewallcmd-allports.conf The issue was the .conf here. If using filter= EXAMPLE it looks for /etc/fail2ban/filter.d/EXAMPLE.conf -- kind regards Marco Send unsolicited bulk mail to 171...@ca... |
From: Marco M. <mm...@do...> - 2024-06-12 08:37:47
|
Am 12.06.2024 um 08:12:06 Uhr schrieb Dudi Goldenberg: > I don’t see logpath defined anywhere in your files. Thanks for pointing out, this was indeed something I missed. I've included it: logpath = /var/log/apache2/access.log Although, the error stays the same. -- kind regards Marco |
From: Marco M. <mm...@do...> - 2024-06-12 06:53:18
|
Hello! I am trying to create a custom jail for a webserver. When restarting config file parsing fails. ERROR Found no accessible config files for 'filter.d/rslight-sql.conf' under /etc/fail2ban What causes this? root@pi-dach:~# cat /etc/fail2ban/jail.d/rslight.conf [rslight] enabled = true findtime = 1s maxretry = 1 filter= rslight-sql.conf banaction = firewallcmd-allports.conf root@pi-dach:~# cat /etc/fail2ban/filter.d/rslight-sql.conf [Definition] failregex = <HOST> .*GET .*SELECT%%20.*HTTP The file exists and can be read by everyone: -rw-r--r-- 1 root root 58 12. Jun 08:18 /etc/fail2ban/filter.d/rslight-sql.conf -- kind regards Marco |
From: Nick H. <ni...@ho...> - 2024-06-01 08:29:52
|
On 01/06/2024 00:59, Alex wrote: > > Hi, > > > Ideally, I'd like to not have to modify that regexp and be able to > > add my own, much like what appears to be happening with mdre-errors. > > You don't have to. Append your own rules in a new line and test your > changed rule file with > > fail2ban-regex /log/file postfix > > and it should reply with text output like > > > Yes, I understand that - I suppose it's the actual details of doing > that which I don't understand. > > What's the difference between the pr and re rules? For example: > > mdpr-errors = too many errors after \S+ > mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ > > I'm assuming the re version is the regexp necessary just to capture > the IP? > > So to add a new rule, I would simply copy this format with a new name, > like: > > mdpr-proto = Protocol error; > mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$ > > (One thing i never fixed was this: After editing my filter file, > previously working regexes started failing, e. g. they didn't match > any more - despite being unmodified.) > > > Did you change the mode to no longer include those other regexes? > mode = errors > > Or specific in the jail.conf? > > [postfix] > filter = postfix[mode=aggressive] > maxretry = 1 > bantime = 48h > enabled = true > > Thanks, > Alex > I find the postfix filters really hard to follow, but as far as I can see, if you go down your route, you then need to activate your protocol filters by building them into something like mdpr-extra/mdre-extra or have another jail just calling "mode=proto". Now, mdre-proto is already part of mdre-normal which seems to be called by every filter so could be unnecessary. You could add a new line to mdpr-normal if you wanted and your filter would work with "mode = more", or you could adjust the mdpr-normal directly. Note that to do an override, you generally leave the filter.d/postfix.conf alone and create a filter.d/postfix.local. In it you could put: [Definition] mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+) Protocol error; Nick |
From: Alex <mys...@gm...> - 2024-05-31 23:59:48
|
Hi, > > Ideally, I'd like to not have to modify that regexp and be able to > > add my own, much like what appears to be happening with mdre-errors. > > You don't have to. Append your own rules in a new line and test your > changed rule file with > > fail2ban-regex /log/file postfix > > and it should reply with text output like > Yes, I understand that - I suppose it's the actual details of doing that which I don't understand. What's the difference between the pr and re rules? For example: mdpr-errors = too many errors after \S+ mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ I'm assuming the re version is the regexp necessary just to capture the IP? So to add a new rule, I would simply copy this format with a new name, like: mdpr-proto = Protocol error; mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$ (One thing i never fixed was this: After editing my filter file, > previously working regexes started failing, e. g. they didn't match > any more - despite being unmodified.) Did you change the mode to no longer include those other regexes? mode = errors Or specific in the jail.conf? [postfix] filter = postfix[mode=aggressive] maxretry = 1 bantime = 48h enabled = true Thanks, Alex |