You can subscribe to this list here.
2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(11) |
Oct
(8) |
Nov
(10) |
Dec
(8) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2006 |
Jan
(6) |
Feb
(1) |
Mar
(43) |
Apr
(17) |
May
(2) |
Jun
(8) |
Jul
(9) |
Aug
(14) |
Sep
(15) |
Oct
(25) |
Nov
(20) |
Dec
(12) |
2007 |
Jan
(29) |
Feb
(19) |
Mar
(8) |
Apr
(12) |
May
(10) |
Jun
(9) |
Jul
(40) |
Aug
(33) |
Sep
(74) |
Oct
(19) |
Nov
(31) |
Dec
(13) |
2008 |
Jan
(50) |
Feb
(52) |
Mar
(43) |
Apr
(21) |
May
(68) |
Jun
(28) |
Jul
(6) |
Aug
(25) |
Sep
(14) |
Oct
(32) |
Nov
(7) |
Dec
(13) |
2009 |
Jan
(25) |
Feb
(1) |
Mar
(2) |
Apr
(8) |
May
(4) |
Jun
(6) |
Jul
(24) |
Aug
(40) |
Sep
(24) |
Oct
(15) |
Nov
(31) |
Dec
(35) |
2010 |
Jan
(6) |
Feb
(1) |
Mar
(23) |
Apr
(16) |
May
(4) |
Jun
(36) |
Jul
(20) |
Aug
(13) |
Sep
(36) |
Oct
(12) |
Nov
(9) |
Dec
(2) |
2011 |
Jan
(16) |
Feb
(9) |
Mar
(21) |
Apr
(33) |
May
(27) |
Jun
(31) |
Jul
(20) |
Aug
(7) |
Sep
(20) |
Oct
(41) |
Nov
(29) |
Dec
(52) |
2012 |
Jan
(127) |
Feb
(36) |
Mar
(15) |
Apr
(40) |
May
(23) |
Jun
(43) |
Jul
(84) |
Aug
(50) |
Sep
(31) |
Oct
(45) |
Nov
(43) |
Dec
(47) |
2013 |
Jan
(39) |
Feb
(83) |
Mar
(50) |
Apr
(50) |
May
(79) |
Jun
(87) |
Jul
(71) |
Aug
(41) |
Sep
(39) |
Oct
(81) |
Nov
(61) |
Dec
(74) |
2014 |
Jan
(76) |
Feb
(50) |
Mar
(45) |
Apr
(62) |
May
(59) |
Jun
(21) |
Jul
(93) |
Aug
(64) |
Sep
(53) |
Oct
(44) |
Nov
(37) |
Dec
(43) |
2015 |
Jan
(60) |
Feb
(72) |
Mar
(35) |
Apr
(50) |
May
(52) |
Jun
(89) |
Jul
(110) |
Aug
(94) |
Sep
(77) |
Oct
(82) |
Nov
(41) |
Dec
(26) |
2016 |
Jan
(42) |
Feb
(44) |
Mar
(26) |
Apr
(55) |
May
(26) |
Jun
(17) |
Jul
(63) |
Aug
(38) |
Sep
(43) |
Oct
(50) |
Nov
(45) |
Dec
(55) |
2017 |
Jan
(26) |
Feb
(29) |
Mar
(28) |
Apr
(40) |
May
(2) |
Jun
(16) |
Jul
(22) |
Aug
(21) |
Sep
(35) |
Oct
(47) |
Nov
(10) |
Dec
(15) |
2018 |
Jan
(18) |
Feb
(35) |
Mar
(71) |
Apr
(9) |
May
(39) |
Jun
(19) |
Jul
(14) |
Aug
(108) |
Sep
(5) |
Oct
(34) |
Nov
(24) |
Dec
(13) |
2019 |
Jan
(13) |
Feb
(19) |
Mar
(33) |
Apr
(11) |
May
(21) |
Jun
(61) |
Jul
(21) |
Aug
(80) |
Sep
(26) |
Oct
(10) |
Nov
(8) |
Dec
(4) |
2020 |
Jan
(26) |
Feb
(81) |
Mar
(31) |
Apr
(37) |
May
(52) |
Jun
(10) |
Jul
(47) |
Aug
(25) |
Sep
(63) |
Oct
(36) |
Nov
(19) |
Dec
(18) |
2021 |
Jan
(49) |
Feb
(11) |
Mar
(18) |
Apr
(21) |
May
(66) |
Jun
(8) |
Jul
(35) |
Aug
(30) |
Sep
(10) |
Oct
(31) |
Nov
(4) |
Dec
(23) |
2022 |
Jan
(1) |
Feb
(16) |
Mar
(34) |
Apr
(6) |
May
(2) |
Jun
|
Jul
(1) |
Aug
(17) |
Sep
(1) |
Oct
(2) |
Nov
(4) |
Dec
(16) |
2023 |
Jan
(10) |
Feb
(39) |
Mar
(7) |
Apr
(44) |
May
(17) |
Jun
(20) |
Jul
|
Aug
(2) |
Sep
(10) |
Oct
(7) |
Nov
(3) |
Dec
(3) |
2024 |
Jan
(1) |
Feb
(10) |
Mar
(8) |
Apr
(1) |
May
(19) |
Jun
(15) |
Jul
(3) |
Aug
(5) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
From: Christoph T. <th...@gm...> - 2014-05-07 16:01:29
|
Hello! Am 05.05.2014 19:47, schrieb Fabian Wenk: >> I don't think the bug is BSD specific, except that the action bsd-ipfw >> is BSD only. And I don't know where the type of <table> is defined and >> if one can change the type to CMD just so. > > The <table> can be set in the jail configuration, like it is in > my example. It will also be preset (in the [Init] section) if the > bsd-ipfw action is used without configuring own ipfw rules and a > table argument in the jail configuration. So the problem is in the way fail2ban expands variables in the actions? Which is not something I can fix easily. Or is it sufficient to change definitions in the bsd-ipfw action? Christoph |
From: Yaroslav H. <li...@on...> - 2014-05-07 13:45:40
|
1. make sure that you still have a jump from INPUT chain to fail2ban-ssh and it is before any ACCEPT rule ;) 2. zero out hits (iptables -Z) and then whenever again such attempt gets through check if count was increased (mystery how then it got through) or not (somehow mismatched) On Wed, 07 May 2014, r fancher wrote: > iptables -L -n -v | grep "220.177.198" > 22 880 DROP all -- * * 220.177.198.0/24 0.0.0.0/0 > 527 31984 REJECT all -- * * 220.177.198.31 > 0.0.0.0/0 reject-with icmp-port-unreachable > 16 1044 REJECT all -- * * 220.177.198.33 > 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT all -- * * 220.177.198.0/24 > 0.0.0.0/0 reject-with icmp-port-unreachable > Ok maybe the word global was the wrong word. I banned the whole subnet > rather than 1. > >not sure what is "global ban" is(and thus how it was "put"), thus > >-- first check either you have those rules in your iptables > >iptables -L -n -v > On Sun, 04 May 2014, r fancher wrote: > > A month ago this "person" made several attempts at accessing my site > so I > > put in a global ban: > > -A fail2ban-ssh -s 220.177.198.0/24 -j REJECT --reject-with > > icmp-port-unreachable > > But today I saw the following which is concerning me that fail2ban > isn't > > actually working: > > May? 2 11:56:57 pcname sshd[21105]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.33? > > user=root > > May? 2 11:56:59 pcname sshd[21105]: Failed password for root from > > 220.177.198.33 port 41260 ssh2 > > May? 2 11:56:59 pcname sshd[21105]: Received disconnect from > > 220.177.198.33: 11: Bye Bye [preauth] > > May? 2 19:23:27 pcname sshd[24226]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.31? > > user=root > > 2014-05-02 11:57:00,026 fail2ban.actions: WARNING [ssh] Ban > 220.177.198.33 > > 2014-05-02 19:23:29,510 fail2ban.actions: WARNING [ssh] Ban > 220.177.198.31 > > I have the standard defaults in my conf file: > > [ssh] > > enabled? = true > > port???? = ssh > > filter?? = sshd > > logpath? = /var/log/auth.log > > maxretry = 1 > > I have also seen various other ip's banned yet still give the result > logs > > as if they were met with a user/pass challenge. > > These were already in place before I put in a global ban: > > -A fail2ban-ssh -s 220.177.198.31/32 -j REJECT --reject-with > > icmp-port-unreachable > > -A fail2ban-ssh -s 220.177.198.33/32 -j REJECT --reject-with > > icmp-port-unreachable > > Even without the global ban they used the same IP?s and still was met > with > > the ssh challenge, why is that? I know it works because I have banned > > myself on several occasions, so why am I still seeing this in the > logs? > ------------------------------------------------------------------------------ > Is your legacy SCM system holding you back? Join Perforce May 7 to find out: > • 3 signs your SCM is hindering your productivity > • Requirements for releasing software faster > • Expert tips and advice for migrating your SCM now > http://p.sf.net/sfu/perforce > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Research Scientist, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik |
From: r f. <rfa...@ya...> - 2014-05-07 10:49:31
|
iptables -L -n -v | grep "220.177.198" 22 880 DROP all -- * * 220.177.198.0/24 0.0.0.0/0 527 31984 REJECT all -- * * 220.177.198.31 0.0.0.0/0 reject-with icmp-port-unreachable 16 1044 REJECT all -- * * 220.177.198.33 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 220.177.198.0/24 0.0.0.0/0 reject-with icmp-port-unreachable Ok maybe the word global was the wrong word. I banned the whole subnet rather than 1. >not sure what is "global ban" is(and thus how it was "put"), thus >-- first check either you have those rules in your iptables >iptables -L -n -v On Sun, 04 May 2014, r fancher wrote: > A month ago this "person" made several attempts at accessing my site so I > put in a global ban: > -A fail2ban-ssh -s 220.177.198.0/24 -j REJECT --reject-with > icmp-port-unreachable > But today I saw the following which is concerning me that fail2ban isn't > actually working: > May? 2 11:56:57 pcname sshd[21105]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.33? > user=root > May? 2 11:56:59 pcname sshd[21105]: Failed password for root from > 220.177.198.33 port 41260 ssh2 > May? 2 11:56:59 pcname sshd[21105]: Received disconnect from > 220.177.198.33: 11: Bye Bye [preauth] > May? 2 19:23:27 pcname sshd[24226]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.31? > user=root > 2014-05-02 11:57:00,026 fail2ban.actions: WARNING [ssh] Ban 220.177.198.33 > 2014-05-02 19:23:29,510 fail2ban.actions: WARNING [ssh] Ban 220.177.198.31 > I have the standard defaults in my conf file: > [ssh] > enabled? = true > port???? = ssh > filter?? = sshd > logpath? = /var/log/auth.log > maxretry = 1 > I have also seen various other ip's banned yet still give the result logs > as if they were met with a user/pass challenge. > These were already in place before I put in a global ban: > -A fail2ban-ssh -s 220.177.198.31/32 -j REJECT --reject-with > icmp-port-unreachable > -A fail2ban-ssh -s 220.177.198.33/32 -j REJECT --reject-with > icmp-port-unreachable > Even without the global ban they used the same IP?s and still was met with > the ssh challenge, why is that? I know it works because I have banned > myself on several occasions, so why am I still seeing this in the logs? |
From: Fabian W. <fa...@we...> - 2014-05-05 17:47:10
|
Hello Christoph On 05.05.14 10:22, Christoph Theis wrote: > Am 04.05.2014 19:14, schrieb Fabian Wenk: >> I have just upgraded to fail2ban 0.9.0 on FreeBSD (9.1-RELEASE) >> and I do see the below errors during shutdown of fail2ban. This >> worked just fine up until 0.8.12. As I see it, there is no >> difference of action.d/bsd-ipfw.conf between 0.8.12 and 0.9.0. > > There is a bug entry for this: > https://github.com/fail2ban/fail2ban/issues/713 Thanks for point this out to me, I should have checked the bug reports first. > I don't think the bug is BSD specific, except that the action bsd-ipfw > is BSD only. And I don't know where the type of <table> is defined and > if one can change the type to CMD just so. The <table> can be set in the jail configuration, like it is in my example. It will also be preset (in the [Init] section) if the bsd-ipfw action is used without configuring own ipfw rules and a table argument in the jail configuration. bye Fabian |
From: Zurd <zu...@gm...> - 2014-05-05 16:27:12
|
cp -R /etc/fail2ban /etc/fail2ban-bkp Update and put back your configuration! Else if you created a jail.local file and the only thing you modified was this file, you can safely update. On Mon, May 5, 2014 at 12:20 PM, Cristiano Nuzzo <cri...@gm...> wrote: > I everybody, I'dd like to upgrade fail2ban to the latest but I don't want > to loose all my settings. Can you guys point me to the right steps? Thanks > in advance. > > > ------------------------------------------------------------------------------ > Is your legacy SCM system holding you back? Join Perforce May 7 to find > out: > • 3 signs your SCM is hindering your productivity > • Requirements for releasing software faster > • Expert tips and advice for migrating your SCM now > http://p.sf.net/sfu/perforce > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > |
From: Cristiano N. <cri...@gm...> - 2014-05-05 16:21:00
|
I everybody, I'dd like to upgrade fail2ban to the latest but I don't want to loose all my settings. Can you guys point me to the right steps? Thanks in advance. |
From: Yaroslav H. <li...@on...> - 2014-05-05 14:10:46
|
not sure what is "global ban" is(and thus how it was "put"), thus -- first check either you have those rules in your iptables iptables -L -n -v On Sun, 04 May 2014, r fancher wrote: > A month ago this "person" made several attempts at accessing my site so I > put in a global ban: > -A fail2ban-ssh -s 220.177.198.0/24 -j REJECT --reject-with > icmp-port-unreachable > But today I saw the following which is concerning me that fail2ban isn't > actually working: > May 2 11:56:57 pcname sshd[21105]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.33 > user=root > May 2 11:56:59 pcname sshd[21105]: Failed password for root from > 220.177.198.33 port 41260 ssh2 > May 2 11:56:59 pcname sshd[21105]: Received disconnect from > 220.177.198.33: 11: Bye Bye [preauth] > May 2 19:23:27 pcname sshd[24226]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.31 > user=root > 2014-05-02 11:57:00,026 fail2ban.actions: WARNING [ssh] Ban 220.177.198.33 > 2014-05-02 19:23:29,510 fail2ban.actions: WARNING [ssh] Ban 220.177.198.31 > I have the standard defaults in my conf file: > [ssh] > enabled = true > port = ssh > filter = sshd > logpath = /var/log/auth.log > maxretry = 1 > I have also seen various other ip's banned yet still give the result logs > as if they were met with a user/pass challenge. > These were already in place before I put in a global ban: > -A fail2ban-ssh -s 220.177.198.31/32 -j REJECT --reject-with > icmp-port-unreachable > -A fail2ban-ssh -s 220.177.198.33/32 -j REJECT --reject-with > icmp-port-unreachable > Even without the global ban they used the same IP’s and still was met with > the ssh challenge, why is that? I know it works because I have banned > myself on several occasions, so why am I still seeing this in the logs? > ------------------------------------------------------------------------------ > Is your legacy SCM system holding you back? Join Perforce May 7 to find out: > • 3 signs your SCM is hindering your productivity > • Requirements for releasing software faster > • Expert tips and advice for migrating your SCM now > http://p.sf.net/sfu/perforce > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Research Scientist, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik |
From: Christoph T. <th...@gm...> - 2014-05-05 08:22:27
|
Am 04.05.2014 19:14, schrieb Fabian Wenk: > Hello > > I have just upgraded to fail2ban 0.9.0 on FreeBSD (9.1-RELEASE) > and I do see the below errors during shutdown of fail2ban. This > worked just fine up until 0.8.12. As I see it, there is no > difference of action.d/bsd-ipfw.conf between 0.8.12 and 0.9.0. There is a bug entry for this: https://github.com/fail2ban/fail2ban/issues/713 I don't think the bug is BSD specific, except that the action bsd-ipfw is BSD only. And I don't know where the type of <table> is defined and if one can change the type to CMD just so. Christoph |
From: r f. <rfa...@ya...> - 2014-05-05 02:19:28
|
A month ago this "person" made several attempts at accessing my site so I put in a global ban: -A fail2ban-ssh -s 220.177.198.0/24 -j REJECT --reject-with icmp-port-unreachable But today I saw the following which is concerning me that fail2ban isn't actually working: May 2 11:56:57 pcname sshd[21105]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.33 user=root May 2 11:56:59 pcname sshd[21105]: Failed password for root from 220.177.198.33 port 41260 ssh2 May 2 11:56:59 pcname sshd[21105]: Received disconnect from 220.177.198.33: 11: Bye Bye [preauth] May 2 19:23:27 pcname sshd[24226]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.31 user=root 2014-05-02 11:57:00,026 fail2ban.actions: WARNING [ssh] Ban 220.177.198.33 2014-05-02 19:23:29,510 fail2ban.actions: WARNING [ssh] Ban 220.177.198.31 I have the standard defaults in my conf file: [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 1 I have also seen various other ip's banned yet still give the result logs as if they were met with a user/pass challenge. These were already in place before I put in a global ban: -A fail2ban-ssh -s 220.177.198.31/32 -j REJECT --reject-with icmp-port-unreachable -A fail2ban-ssh -s 220.177.198.33/32 -j REJECT --reject-with icmp-port-unreachable Even without the global ban they used the same IP’s and still was met with the ssh challenge, why is that? I know it works because I have banned myself on several occasions, so why am I still seeing this in the logs? |
From: Mark C. <ch...@sw...> - 2014-05-04 21:00:20
|
Steven, thank you very much for your helpful and thoughtful reply. I've now read up on (?P<name>...) and see how that combined with <SKIPLINES> will handily solve the problem. I'm stuck at the moment because FreeBSD doesn't have 0.9 yet and in this case I need to use what's available from the package manager. So I can't do it yet, but I know what to do when 0.9 is available. Oh, and the sendmail-reject.conf you linked to looks like it is already good, so I likely won't have any real work to do. Thanks! Mark On Sat, May 03, 2014 at 09:11:07PM +0100, Steven Hiscocks wrote: > On 03/05/14 19:33, Mark Costlow wrote: > > Hello. I have a couple of questions about the regexes in the > > sendmail filter shown here: http://www.fail2ban.org/wiki/index.php/Sendmail > I'm not familiar with sendmail, but I believe some of these regexs may > be susceptible to denial of service e.g. email address `"[192.168.1.1] > to MTA"@example.com` is a valid email address which will match! > > > > I'm specifically concerned with the User unknown portion: > > > > (User unknown)\n* \[<HOST>\] > > > > 1. How does the newline work in this context? Does fail2ban > > separately parse the next line and eat the timestamp, so that > > " \[<HOST>\]" becomes like another failregex to match against the > > next line? i.e. is " \[<HOST>\]" anchored to the beginning of that > > next line, or can it be anywhere? If the latter, why does it not > > need a ".*" to eat the intervening text? > I think your right that this does indeed need a .* to properly capture > the line. However I'm unfamiliar with sendmail so I may be wrong. As > with single line regexs, all timestamps are stripped out for multi line. > Also, the correct way to handle regexs over multiple lines (where you do > not know if they are indeed one after another) is to use `<SKIPLINES>` > option. This will allow non matched lines between matching lines to be > kept and not lost. See jail.conf(5) man page > > > > 2. On a busy mail server, the "related" line which would have the > > IP address on it might not immediately follow the "User unknown" > > line. You can tie them together by QID, but they're not adjacent. > > Does the above regex work in that environment? > You should be able to tie them together with a common element to the > line. This generally can be done with (?P<name>...) and (?P=name) > regexs. See: https://docs.python.org/2/library/re.html > Also see example for sshd filter, which uses the fact that the line > prefix is the same (as the line prefix contains the PID, which should be > different for each connection for sshd). > > > > It occurred to me fail2ban might be doing some magic to concatenate > > log lines with the same QID but I couldn't find any evidence of that. > I wish there was some magic in Fail2Ban ;-) > > > > Thanks in advance, > > > > Mark > > > Also note that the latest filter has a multiline regex for invalid user, > but it does seem different to the one on the wiki. Might be worth > checking out as it may already have a regex for you: > https://github.com/fail2ban/fail2ban/blob/50d938e0bf12ef981ceb7860c99f5c30ba304d4d/config/filter.d/sendmail-reject.conf > > If you do find a new filter for sendmail, please share it here or on > github, and we can add it to upstream so everyone can benefit. If your > not sure about building the regex, any example log lines you have not > already in the Fail2Ban tests would also be great. see: > https://github.com/fail2ban/fail2ban/tree/master/fail2ban/tests/files/logs > > Thanks ??? > -- > Steven Hiscocks > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975 ch...@sw... | Web: www.swcp.com | Voice: +1-505-232-7992 Mail Minder - Intelligent Push Notifications for Email on the iPhone http://mailminderapp.com/download or in the App Store |
From: Fabian W. <fa...@we...> - 2014-05-04 17:37:42
|
Hello I have just upgraded to fail2ban 0.9.0 on FreeBSD (9.1-RELEASE) and I do see the below errors during shutdown of fail2ban. This worked just fine up until 0.8.12. As I see it, there is no difference of action.d/bsd-ipfw.conf between 0.8.12 and 0.9.0. My jail configuration looks like this: [ssh] enabled = true port = ssh filter = sshd action = bsd-ipfw[table=22] logpath = /var/log/auth.log bantime = 3600 findtime = 900 maxretry = 3 And I have manually added the following rule to ipfw: ipfw add 6 unreach port tcp from table(22) to me 22 in And here are the log lines from fail2ban.log, the errors are similar for other jails which are setup like the above ssh jail. (Sorry for the line wrapping): 2014-05-04 18:07:25,349 fail2ban.server.action[82697]: ERROR [ ! -f /var/run/fail2ban/ipfw-started-table_<table> ] || ( read num < "/var/run/fail2ban/ipfw-started-table_<table>" ipfw -q delete $num rm "/var/run/fail2ban/ipfw-started-table_<table>" ) -- stdout: '' 2014-05-04 18:07:25,350 fail2ban.server.action[82697]: ERROR [ ! -f /var/run/fail2ban/ipfw-started-table_<table> ] || ( read num < "/var/run/fail2ban/ipfw-started-table_<table>" ipfw -q delete $num rm "/var/run/fail2ban/ipfw-started-table_<table>" ) -- stderr: 'cannot open table: No such file or directory\ncannot open /var/run/fail2ban/ipfw-started-table_<table>: No such file or directory\nipfw: missing rule specification\nrm: /var/run/fail2ban/ipfw-started-table_<table>: No such file or directory\n' 2014-05-04 18:07:25,350 fail2ban.server.action[82697]: ERROR [ ! -f /var/run/fail2ban/ipfw-started-table_<table> ] || ( read num < "/var/run/fail2ban/ipfw-started-table_<table>" ipfw -q delete $num rm "/var/run/fail2ban/ipfw-started-table_<table>" ) -- returned 1 2014-05-04 18:07:25,350 fail2ban.server.actions[82697]: ERROR Failed to stop jail 'ssh' action 'bsd-ipfw': Error stopping action 2014-05-04 18:07:25,352 fail2ban.server.jail[82697]: INFO Jail 'ssh' stopped When fail2ban is running, I do not have any of the ipfw-started-table_* files in /var/run/fail2ban/. It looks like the check for the non-existent <startstatefile> goes wrong when fail2ban 0.9.0 does run the below actionstop from bsd-ipfw action (it is the same on 0.8.12, which was working): actionstop = [ ! -f <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" ) What did change with fail2ban 0.9.0 regarding this kind of actionstop? bye Fabian |
From: Noel B. <noe...@au...> - 2014-05-04 03:21:09
|
Thanks Steve, will throw this on box tomorrow. On 04/05/2014 06:18, Steven Hiscocks wrote: > On 03/05/14 03:11, Noel Butler wrote: > >> Hi, Just a quick question, should ignoreip in a specific jail, also include the default ignoreip data? it seems to replace rather than add to, if this is by design (thats fine) is there a variable to include the default? like ignoreip = $ignoreip some.other.ip another.ip.addy ... and so on if not, perhaps consider this a non urgent feature request? thanks Noel > > You can achieve this by creating something like: > > [DEFAULT] > … > default_ignoreip = 127.0.0.1/8 > ignoreip = %(default_ignoreip)s > … > > [jail1] > … > ignoreip = %(default_ignoreip)s 192.168.1.0/24 1.2.3.4 > … > > [jail2] > … > ignoreip = %(default_ignoreip)s 10.11.12.0/24 > … > > Thanks ☺ |
From: Dave C. <fai...@da...> - 2014-05-03 20:24:25
|
Steven, With that patch applied, I'm able to start fail2ban. Appears to be working so far. Many thanks. -Dave On Sat, May 3, 2014, at 04:58 AM, Steven Hiscocks wrote: > On 02/05/14 16:16, Dave Cohen wrote: > > I've got fail2ban working well on one of my boxes and it's really helpful. I'm having trouble getting it running on a second Arch linux box. Here's what I see in the log: > > > > dave@apollo ~/Downloads % sudo tail /var/log/fail2ban.log > > 2014-05-02 08:08:27,137 fail2ban.server.jail[5500]: INFO Jail 'apache-auth' uses pyinotify > > 2014-05-02 08:08:27,222 fail2ban.server.filter[5500]: INFO Set jail log file encoding to UTF-8 > > 2014-05-02 08:08:27,230 fail2ban.server.jail[5500]: INFO Initiated 'pyinotify' backend > > 2014-05-02 08:08:27,358 fail2ban.server.filter[5500]: INFO Set findtime = 600 > > 2014-05-02 08:08:27,359 fail2ban.server.filter[5500]: INFO Set jail log file encoding to UTF-8 > > 2014-05-02 08:08:27,359 fail2ban.server.filter[5500]: INFO Set maxRetry = 5 > > 2014-05-02 08:08:27,360 fail2ban.server.actions[5500]: INFO Set banTime = 600 > > 2014-05-02 08:08:27,491 fail2ban.server.filter[5500]: INFO Added logfile = /var/log/httpd/error_log > > 2014-05-02 08:08:27,637 fail2ban.server.jail[5500]: INFO Jail 'apache-auth' started > > 2014-05-02 08:08:27,637 fail2ban.server.actions[5500]: ERROR Failed to start jail 'apache-auth' action 'iptables-multiport': [Errno 22] Invalid argument > > > > > > That last line, I get the same error no matter what jail(s) I enable. None of them are working. > > > > Searching the web has not helped me track this down. I found this thread (https://github.com/fail2ban/fail2ban/issues/687) but don't understand it. > > > > Any help would be appreciated. Thanks. -Dave > > > Dave, > > A work around fix for Python 3.4.0 is proposed at: > https://github.com/fail2ban/fail2ban/pull/714 > > If you could give the patch a try and provide feedback to confirm all is > working okay, that would be great: > https://github.com/kwirk/fail2ban/commit/cf3a6015f09b39cd668f1f202b695ea23c52fcb8.patch > > If all works well, I'll contact Arch Linux Fail2Ban maintainer to get > this patch included. Does anyone know of any other distros shipping > Fail2Ban 0.9 and Python 3.4.0 as standard? > > Thanks ☺ > > -- > Steven Hiscocks > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Steven H. <ste...@hi...> - 2014-05-03 20:18:12
|
On 03/05/14 03:11, Noel Butler wrote: > Hi, > > Just a quick question, should ignoreip in a specific jail, also include > the default ignoreip data? > > it seems to replace rather than add to, if this is by design (thats > fine) is there a variable to include the default? like > > ignoreip = $ignoreip some.other.ip another.ip.addy ... and so on > > if not, perhaps consider this a non urgent feature request? > > thanks > > Noel You can achieve this by creating something like: [DEFAULT] … default_ignoreip = 127.0.0.1/8 ignoreip = %(default_ignoreip)s … [jail1] … ignoreip = %(default_ignoreip)s 192.168.1.0/24 1.2.3.4 … [jail2] … ignoreip = %(default_ignoreip)s 10.11.12.0/24 … Thanks ☺ -- Steven Hiscocks |
From: Steven H. <ste...@hi...> - 2014-05-03 20:11:26
|
On 03/05/14 19:33, Mark Costlow wrote: > Hello. I have a couple of questions about the regexes in the > sendmail filter shown here: http://www.fail2ban.org/wiki/index.php/Sendmail I'm not familiar with sendmail, but I believe some of these regexs may be susceptible to denial of service e.g. email address `"[192.168.1.1] to MTA"@example.com` is a valid email address which will match! > > I'm specifically concerned with the User unknown portion: > > (User unknown)\n* \[<HOST>\] > > 1. How does the newline work in this context? Does fail2ban > separately parse the next line and eat the timestamp, so that > " \[<HOST>\]" becomes like another failregex to match against the > next line? i.e. is " \[<HOST>\]" anchored to the beginning of that > next line, or can it be anywhere? If the latter, why does it not > need a ".*" to eat the intervening text? I think your right that this does indeed need a .* to properly capture the line. However I'm unfamiliar with sendmail so I may be wrong. As with single line regexs, all timestamps are stripped out for multi line. Also, the correct way to handle regexs over multiple lines (where you do not know if they are indeed one after another) is to use `<SKIPLINES>` option. This will allow non matched lines between matching lines to be kept and not lost. See jail.conf(5) man page > > 2. On a busy mail server, the "related" line which would have the > IP address on it might not immediately follow the "User unknown" > line. You can tie them together by QID, but they're not adjacent. > Does the above regex work in that environment? You should be able to tie them together with a common element to the line. This generally can be done with (?P<name>...) and (?P=name) regexs. See: https://docs.python.org/2/library/re.html Also see example for sshd filter, which uses the fact that the line prefix is the same (as the line prefix contains the PID, which should be different for each connection for sshd). > > It occurred to me fail2ban might be doing some magic to concatenate > log lines with the same QID but I couldn't find any evidence of that. I wish there was some magic in Fail2Ban ;-) > > Thanks in advance, > > Mark > Also note that the latest filter has a multiline regex for invalid user, but it does seem different to the one on the wiki. Might be worth checking out as it may already have a regex for you: https://github.com/fail2ban/fail2ban/blob/50d938e0bf12ef981ceb7860c99f5c30ba304d4d/config/filter.d/sendmail-reject.conf If you do find a new filter for sendmail, please share it here or on github, and we can add it to upstream so everyone can benefit. If your not sure about building the regex, any example log lines you have not already in the Fail2Ban tests would also be great. see: https://github.com/fail2ban/fail2ban/tree/master/fail2ban/tests/files/logs Thanks ☺ -- Steven Hiscocks |
From: Mark C. <ch...@sw...> - 2014-05-03 18:34:04
|
Hello. I have a couple of questions about the regexes in the sendmail filter shown here: http://www.fail2ban.org/wiki/index.php/Sendmail I'm specifically concerned with the User unknown portion: (User unknown)\n* \[<HOST>\] 1. How does the newline work in this context? Does fail2ban separately parse the next line and eat the timestamp, so that " \[<HOST>\]" becomes like another failregex to match against the next line? i.e. is " \[<HOST>\]" anchored to the beginning of that next line, or can it be anywhere? If the latter, why does it not need a ".*" to eat the intervening text? 2. On a busy mail server, the "related" line which would have the IP address on it might not immediately follow the "User unknown" line. You can tie them together by QID, but they're not adjacent. Does the above regex work in that environment? It occurred to me fail2ban might be doing some magic to concatenate log lines with the same QID but I couldn't find any evidence of that. Thanks in advance, Mark -- Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975 ch...@sw... | Web: www.swcp.com | Voice: +1-505-232-7992 Mail Minder - Intelligent Push Notifications for Email on the iPhone http://mailminderapp.com/download or in the App Store |
From: Steven H. <ste...@hi...> - 2014-05-03 11:58:45
|
On 02/05/14 16:16, Dave Cohen wrote: > I've got fail2ban working well on one of my boxes and it's really helpful. I'm having trouble getting it running on a second Arch linux box. Here's what I see in the log: > > dave@apollo ~/Downloads % sudo tail /var/log/fail2ban.log > 2014-05-02 08:08:27,137 fail2ban.server.jail[5500]: INFO Jail 'apache-auth' uses pyinotify > 2014-05-02 08:08:27,222 fail2ban.server.filter[5500]: INFO Set jail log file encoding to UTF-8 > 2014-05-02 08:08:27,230 fail2ban.server.jail[5500]: INFO Initiated 'pyinotify' backend > 2014-05-02 08:08:27,358 fail2ban.server.filter[5500]: INFO Set findtime = 600 > 2014-05-02 08:08:27,359 fail2ban.server.filter[5500]: INFO Set jail log file encoding to UTF-8 > 2014-05-02 08:08:27,359 fail2ban.server.filter[5500]: INFO Set maxRetry = 5 > 2014-05-02 08:08:27,360 fail2ban.server.actions[5500]: INFO Set banTime = 600 > 2014-05-02 08:08:27,491 fail2ban.server.filter[5500]: INFO Added logfile = /var/log/httpd/error_log > 2014-05-02 08:08:27,637 fail2ban.server.jail[5500]: INFO Jail 'apache-auth' started > 2014-05-02 08:08:27,637 fail2ban.server.actions[5500]: ERROR Failed to start jail 'apache-auth' action 'iptables-multiport': [Errno 22] Invalid argument > > > That last line, I get the same error no matter what jail(s) I enable. None of them are working. > > Searching the web has not helped me track this down. I found this thread (https://github.com/fail2ban/fail2ban/issues/687) but don't understand it. > > Any help would be appreciated. Thanks. -Dave > Dave, A work around fix for Python 3.4.0 is proposed at: https://github.com/fail2ban/fail2ban/pull/714 If you could give the patch a try and provide feedback to confirm all is working okay, that would be great: https://github.com/kwirk/fail2ban/commit/cf3a6015f09b39cd668f1f202b695ea23c52fcb8.patch If all works well, I'll contact Arch Linux Fail2Ban maintainer to get this patch included. Does anyone know of any other distros shipping Fail2Ban 0.9 and Python 3.4.0 as standard? Thanks ☺ -- Steven Hiscocks |
From: YUSUF C. <yu...@an...> - 2014-05-03 07:44:13
|
Hello, What is the Python version for first and second box ? Is SELINUX enabled for first and second box ? On 2.05.2014 18:16, "Dave Cohen" <fai...@da...> wrote: >I've got fail2ban working well on one of my boxes and it's really >helpful. I'm having trouble getting it running on a second Arch linux >box. Here's what I see in the log: > >dave@apollo ~/Downloads % sudo tail /var/log/fail2ban.log > > >2014-05-02 08:08:27,137 fail2ban.server.jail[5500]: INFO Jail >'apache-auth' uses pyinotify >2014-05-02 08:08:27,222 fail2ban.server.filter[5500]: INFO Set jail >log file encoding to UTF-8 >2014-05-02 08:08:27,230 fail2ban.server.jail[5500]: INFO Initiated >'pyinotify' backend >2014-05-02 08:08:27,358 fail2ban.server.filter[5500]: INFO Set >findtime = 600 >2014-05-02 08:08:27,359 fail2ban.server.filter[5500]: INFO Set jail >log file encoding to UTF-8 >2014-05-02 08:08:27,359 fail2ban.server.filter[5500]: INFO Set >maxRetry = 5 >2014-05-02 08:08:27,360 fail2ban.server.actions[5500]: INFO Set >banTime = 600 >2014-05-02 08:08:27,491 fail2ban.server.filter[5500]: INFO Added >logfile = /var/log/httpd/error_log >2014-05-02 08:08:27,637 fail2ban.server.jail[5500]: INFO Jail >'apache-auth' started >2014-05-02 08:08:27,637 fail2ban.server.actions[5500]: ERROR Failed to >start jail 'apache-auth' action 'iptables-multiport': [Errno 22] Invalid >argument > > >That last line, I get the same error no matter what jail(s) I enable. >None of them are working. > >Searching the web has not helped me track this down. I found this thread >(https://github.com/fail2ban/fail2ban/issues/687) but don't understand it. > >Any help would be appreciated. Thanks. -Dave > > > >-------------------------------------------------------------------------- >---- >"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >Instantly run your Selenium tests across 300+ browser/OS combos. Get >unparalleled scalability from the best Selenium testing platform >available. >Simple to use. Nothing to install. Get started now for free." >http://p.sf.net/sfu/SauceLabs >_______________________________________________ >Fail2ban-users mailing list >Fai...@li... >https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Noel B. <noe...@au...> - 2014-05-03 02:28:42
|
Hi, Just a quick question, should ignoreip in a specific jail, also include the default ignoreip data? it seems to replace rather than add to, if this is by design (thats fine) is there a variable to include the default? like ignoreip = $ignoreip some.other.ip another.ip.addy ... and so on if not, perhaps consider this a non urgent feature request? thanks Noel |
From: Dave C. <fai...@da...> - 2014-05-02 15:16:55
|
I've got fail2ban working well on one of my boxes and it's really helpful. I'm having trouble getting it running on a second Arch linux box. Here's what I see in the log: dave@apollo ~/Downloads % sudo tail /var/log/fail2ban.log 2014-05-02 08:08:27,137 fail2ban.server.jail[5500]: INFO Jail 'apache-auth' uses pyinotify 2014-05-02 08:08:27,222 fail2ban.server.filter[5500]: INFO Set jail log file encoding to UTF-8 2014-05-02 08:08:27,230 fail2ban.server.jail[5500]: INFO Initiated 'pyinotify' backend 2014-05-02 08:08:27,358 fail2ban.server.filter[5500]: INFO Set findtime = 600 2014-05-02 08:08:27,359 fail2ban.server.filter[5500]: INFO Set jail log file encoding to UTF-8 2014-05-02 08:08:27,359 fail2ban.server.filter[5500]: INFO Set maxRetry = 5 2014-05-02 08:08:27,360 fail2ban.server.actions[5500]: INFO Set banTime = 600 2014-05-02 08:08:27,491 fail2ban.server.filter[5500]: INFO Added logfile = /var/log/httpd/error_log 2014-05-02 08:08:27,637 fail2ban.server.jail[5500]: INFO Jail 'apache-auth' started 2014-05-02 08:08:27,637 fail2ban.server.actions[5500]: ERROR Failed to start jail 'apache-auth' action 'iptables-multiport': [Errno 22] Invalid argument That last line, I get the same error no matter what jail(s) I enable. None of them are working. Searching the web has not helped me track this down. I found this thread (https://github.com/fail2ban/fail2ban/issues/687) but don't understand it. Any help would be appreciated. Thanks. -Dave |
From: YUSUF C. <yu...@an...> - 2014-05-02 10:49:39
|
Hi Dr. Mike and Amir, Finally I used only this regex, and it worked for me. *proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - USER \S+: no such user found from .*$ Thank you. On 1.05.2014 17:39, "Dr. Mike Wendell" <the...@gm...> wrote: > Greets: > > I royally suck at regex and I've really never dug into the scripting > for fail2ban but why not just block on "no such user found from"? > After 5 or 6 of those tries, you would think they should be blocked > anyway.... > > I'm assuming you are running a proftpd server on your box, right? If > not, I'd just be blocking on that. > > Regards, > -drmike > > On Wed, Apr 30, 2014 at 8:08 AM, YUSUF CAKIR <yu...@an...> wrote: >> Hello to All Fail2ban Users ; >> >> I am new on Fail2Ban and also I’m new on Regex. >> I want to block brute force attacks to PROFTPD on my Centos server. >> I have got secure log file in \var\log\secure. >> >> Now, I need REGEX expression. >> >> I tried this, but nothing happened : >> USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$ >> >> My log file content like this : >> >> Apr 27 11:38:26 server proftpd[28668]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> Apr 27 11:38:27 server proftpd[28688]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> Apr 27 11:38:28 server proftpd[28696]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> Apr 27 11:38:31 server proftpd[28708]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> Apr 27 11:38:32 server proftpd[28722]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> Apr 27 11:38:34 server proftpd[28730]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> Apr 27 11:38:35 server proftpd[28732]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> Apr 27 11:38:36 server proftpd[28733]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> Apr 27 11:38:38 server proftpd[28734]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> Apr 27 11:38:39 server proftpd[28737]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> Apr 27 11:38:40 server proftpd[28739]: 100.100.100.100 >> (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from >> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 >> >> >> >> Thank you for your response. >> Have a nice day … >> >> >> >> ----------------------------------------------------------------------------->> - >> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >> Instantly run your Selenium tests across 300+ browser/OS combos. Get >> unparalleled scalability from the best Selenium testing platform available. >> Simple to use. Nothing to install. Get started now for free." >> http://p.sf.net/sfu/SauceLabs >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > |
From: Amir C. <ce...@3p...> - 2014-05-02 01:55:28
|
I am on CentOS 5.10 with proftpd 1.3.4a; my proftpd.conf looks like this: failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+\s*$ \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.\s*$ \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.\s*$ \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded, connection refused\s*$ I have no idea why yours may not be working, but mine certainly does... perhaps give the above a try, if you are running the same (or similar) versions. Good luck. --- Amir On Apr 30, 2014, at 6:08 AM, YUSUF CAKIR <yu...@an...> wrote: > Hello to All Fail2ban Users ; > > I am new on Fail2Ban and also I’m new on Regex. > I want to block brute force attacks to PROFTPD on my Centos server. > I have got secure log file in \var\log\secure. > > Now, I need REGEX expression. > > I tried this, but nothing happened : > USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$ > > My log file content like this : > > Apr 27 11:38:26 server proftpd[28668]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:27 server proftpd[28688]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:28 server proftpd[28696]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:31 server proftpd[28708]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:32 server proftpd[28722]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:34 server proftpd[28730]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:35 server proftpd[28732]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:36 server proftpd[28733]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:38 server proftpd[28734]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:39 server proftpd[28737]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:40 server proftpd[28739]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > > > > Thank you for your response. > Have a nice day … > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs_______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Dr. M. W. <the...@gm...> - 2014-05-01 14:39:25
|
Greets: I royally suck at regex and I've really never dug into the scripting for fail2ban but why not just block on "no such user found from"? After 5 or 6 of those tries, you would think they should be blocked anyway.... I'm assuming you are running a proftpd server on your box, right? If not, I'd just be blocking on that. Regards, -drmike On Wed, Apr 30, 2014 at 8:08 AM, YUSUF CAKIR <yu...@an...> wrote: > Hello to All Fail2ban Users ; > > I am new on Fail2Ban and also I’m new on Regex. > I want to block brute force attacks to PROFTPD on my Centos server. > I have got secure log file in \var\log\secure. > > Now, I need REGEX expression. > > I tried this, but nothing happened : > USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$ > > My log file content like this : > > Apr 27 11:38:26 server proftpd[28668]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:27 server proftpd[28688]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:28 server proftpd[28696]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:31 server proftpd[28708]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:32 server proftpd[28722]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:34 server proftpd[28730]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:35 server proftpd[28732]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:36 server proftpd[28733]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:38 server proftpd[28734]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:39 server proftpd[28737]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > Apr 27 11:38:40 server proftpd[28739]: 100.100.100.100 > (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from > 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 > > > > Thank you for your response. > Have a nice day … > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: YUSUF C. <yu...@an...> - 2014-04-30 12:35:52
|
Hello to All Fail2ban Users ; I am new on Fail2Ban and also I¹m new on Regex. I want to block brute force attacks to PROFTPD on my Centos server. I have got secure log file in \var\log\secure. Now, I need REGEX expression. I tried this, but nothing happened : USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$ My log file content like this : Apr 27 11:38:26 server proftpd[28668]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Apr 27 11:38:27 server proftpd[28688]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Apr 27 11:38:28 server proftpd[28696]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Apr 27 11:38:31 server proftpd[28708]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Apr 27 11:38:32 server proftpd[28722]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Apr 27 11:38:34 server proftpd[28730]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Apr 27 11:38:35 server proftpd[28732]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Apr 27 11:38:36 server proftpd[28733]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Apr 27 11:38:38 server proftpd[28734]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Apr 27 11:38:39 server proftpd[28737]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Apr 27 11:38:40 server proftpd[28739]: 100.100.100.100 (113.21.228.78[113.21.228.78]) - USER te...@te...: no such user found from 113.21.228.78 [113.21.228.78] to 100.100.100.100:21 Thank you for your response. Have a nice day |
From: P.V.Anthony <pva...@si...> - 2014-04-30 09:24:39
|
On 04/30/2014 05:10 PM, Daniel Black wrote: > On 30/04/14 02:46, P.V.Anthony wrote: >> Hi, >> >> I am new to fail2ban so please bear with me. >> >> The dovecot server is behind an NAT. In the logs, the ip that is >> reported is the ip of our router (10.0.0.1). So it will be very hard for >> fail2ban to work correctly because all logins are showing 10.0.0.1. >> >> I am suspecting that this is the problem of the router. > > yes > >> >> Is this normal behavior? > > its reasonably common. > >> Any recommendation of routers that will pass >> the correct ip address of the people trying to login? > > looks like from the port forwarding wikipedia page any linux based > router that used DNAT. > >> Or is there something I can configure in the CentOS server to show the >> correct ip address so that I can use fail2ban? > > No. Thank you very much for replying. Your reply has saved me much time and effort. I can start looking for a linux based router. I am really happy and grateful for the sharing of information. Thank you again. P.V.Anthony |