Menu

#67 maxretry not working and alerting me for every match

v1.0 (example)
open
nobody
maxretry (1)
3
2014-08-16
2014-03-20
Sunnx
No

My Fail2ban-regex shows 46 matches and my maxretry is set to 7, whereas I am getting alerts for every match(46 alerts), whereas it should alert me after 7 match from same HOST.

Please correct me if I am wrongly configured

Attached My Filter and Jail.local as well

cat /etc/fail2ban/jail.local
[jira-login]
enabled = true
filter = jira-login
action = sendmail-whois-lines[name=JIRA, dest=sunilpxxx@gmail.com, sender=fail2ban@productionJIRA.xxx.com, logpath=/var/log/fail2ban.log]
logpath = /opt/fail2ban/jira/logger/security_log_fail2ban.log
maxretry = 7
bantime = 10
findtime = 600

cat /etc/fail2ban/filter.d/jira-login.conf
[Definition]
failregex = <HOST> /login.jsp login
ignoreregex =

Sample Logs : /opt/fail2ban/jira/logger/security_log_fail2ban.log

2014-03-19 00:38:54,654 http-bio-8443-exec-90 anonymous 38x1346454x1 - xx.xx.120.63 / HttpSession created [1cz5xtw]
2014-03-19 00:39:36,386 http-bio-8443-exec-15 anonymous 39x1346546x1 1cz5xtw xx.xx.120.63 /login.jsp login : 'andrew.v.tischenko@test.com' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2014-03-19 00:39:49,277 http-bio-8443-exec-43 anonymous 39x1346616x1 1cz5xtw xx.xx.120.63 /login.jsp login : 'andrew.v.tischenko@test.com' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2014-03-19 00:44:15,225 http-bio-8443-exec-110 anonymous 44x1347077x1 1cz5xtw xx.xx.120.63 /login.jsp login : 'avtische' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2014-03-19 00:44:15,250 http-bio-8443-exec-110 anonymous 44x1347077x1 1cz5xtw xx.xx.120.63 /login.jsp The user 'avtische' has FAILED authentication. Failure count equals 1
2014-03-19 00:45:05,398 http-bio-8443-exec-66 anonymous 45x1347280x1 1cz5xtw xx.xx.120.63 /login.jsp login : 'andrew.v.tischenko@test.com' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2014-03-19 00:45:35,774 http-bio-8443-exec-60 anonymous 45x1347300x1 1cz5xtw xx.xx.120.63 /login.jsp login : 'andrew.v.tischenko@test.com' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2014-03-19 00:49:28,102 http-bio-8443-exec-20 anonymous 49x1348049x2 1cz5xtw xx.xx.120.63 /login.jsp HttpSession [1cz5xtw] destroyed for 'anonymous'
2014-03-19 00:49:28,102 http-bio-8443-exec-20 anonymous 49x1348049x2 1cz5xtw xx.xx.120.63 /login.jsp HttpSession created [1id3hx3]
2014-03-19 00:49:28,125 http-bio-8443-exec-20 avtische 49x1348049x2 1cz5xtw xx.xx.120.63 /login.jsp The user 'avtische' has PASSED authentication.

fail2ban-regex /opt/fail2ban/jira/logger/security_log_fail2ban.log /etc/fail2ban/filter.d/jira-login.con f

Running tests

Use failregex file : /etc/fail2ban/filter.d/jira-login.conf
Use log file : /opt/fail2ban/jira/logger/security_log_fail2ban.log

Results

Failregex: 46 total
|- #) [# of hits] regular expression
| 1) [46] <HOST> /login.jsp login
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [117915] Year-Month-Day Hour:Minute:Second[,subsecond]
`-

Lines: 117915 lines, 0 ignored, 46 matched, 117869 missed
Missed line(s):: too many to print. Use --print-all-missed to print all 117869 lines

Discussion

  • Sunnx

    Sunnx - 2014-03-20

    Correction my Filter has <host> as well
    failregex = <HOST> /login.jsp login

     

  • Sunnx

    Sunnx - 2014-03-20

    Filter has host as well, it is getting auto deleted in your system.

     

Log in to post a comment.