You can subscribe to this list here.
2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(11) |
Oct
(8) |
Nov
(10) |
Dec
(8) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2006 |
Jan
(6) |
Feb
(1) |
Mar
(43) |
Apr
(17) |
May
(2) |
Jun
(8) |
Jul
(9) |
Aug
(14) |
Sep
(15) |
Oct
(25) |
Nov
(20) |
Dec
(12) |
2007 |
Jan
(29) |
Feb
(19) |
Mar
(8) |
Apr
(12) |
May
(10) |
Jun
(9) |
Jul
(40) |
Aug
(33) |
Sep
(74) |
Oct
(19) |
Nov
(31) |
Dec
(13) |
2008 |
Jan
(50) |
Feb
(52) |
Mar
(43) |
Apr
(21) |
May
(68) |
Jun
(28) |
Jul
(6) |
Aug
(25) |
Sep
(14) |
Oct
(32) |
Nov
(7) |
Dec
(13) |
2009 |
Jan
(25) |
Feb
(1) |
Mar
(2) |
Apr
(8) |
May
(4) |
Jun
(6) |
Jul
(24) |
Aug
(40) |
Sep
(24) |
Oct
(15) |
Nov
(31) |
Dec
(35) |
2010 |
Jan
(6) |
Feb
(1) |
Mar
(23) |
Apr
(16) |
May
(4) |
Jun
(36) |
Jul
(20) |
Aug
(13) |
Sep
(36) |
Oct
(12) |
Nov
(9) |
Dec
(2) |
2011 |
Jan
(16) |
Feb
(9) |
Mar
(21) |
Apr
(33) |
May
(27) |
Jun
(31) |
Jul
(20) |
Aug
(7) |
Sep
(20) |
Oct
(41) |
Nov
(29) |
Dec
(52) |
2012 |
Jan
(127) |
Feb
(36) |
Mar
(15) |
Apr
(40) |
May
(23) |
Jun
(43) |
Jul
(84) |
Aug
(50) |
Sep
(31) |
Oct
(45) |
Nov
(43) |
Dec
(47) |
2013 |
Jan
(39) |
Feb
(83) |
Mar
(50) |
Apr
(50) |
May
(79) |
Jun
(87) |
Jul
(71) |
Aug
(41) |
Sep
(39) |
Oct
(81) |
Nov
(61) |
Dec
(74) |
2014 |
Jan
(76) |
Feb
(50) |
Mar
(45) |
Apr
(62) |
May
(59) |
Jun
(21) |
Jul
(93) |
Aug
(64) |
Sep
(53) |
Oct
(44) |
Nov
(37) |
Dec
(43) |
2015 |
Jan
(60) |
Feb
(72) |
Mar
(35) |
Apr
(50) |
May
(52) |
Jun
(89) |
Jul
(110) |
Aug
(94) |
Sep
(77) |
Oct
(82) |
Nov
(41) |
Dec
(26) |
2016 |
Jan
(42) |
Feb
(44) |
Mar
(26) |
Apr
(55) |
May
(26) |
Jun
(17) |
Jul
(63) |
Aug
(38) |
Sep
(43) |
Oct
(50) |
Nov
(45) |
Dec
(55) |
2017 |
Jan
(26) |
Feb
(29) |
Mar
(28) |
Apr
(40) |
May
(2) |
Jun
(16) |
Jul
(22) |
Aug
(21) |
Sep
(35) |
Oct
(47) |
Nov
(10) |
Dec
(15) |
2018 |
Jan
(18) |
Feb
(35) |
Mar
(71) |
Apr
(9) |
May
(39) |
Jun
(19) |
Jul
(14) |
Aug
(108) |
Sep
(5) |
Oct
(34) |
Nov
(24) |
Dec
(13) |
2019 |
Jan
(13) |
Feb
(19) |
Mar
(33) |
Apr
(11) |
May
(21) |
Jun
(61) |
Jul
(21) |
Aug
(80) |
Sep
(26) |
Oct
(10) |
Nov
(8) |
Dec
(4) |
2020 |
Jan
(26) |
Feb
(81) |
Mar
(31) |
Apr
(37) |
May
(52) |
Jun
(10) |
Jul
(47) |
Aug
(25) |
Sep
(63) |
Oct
(36) |
Nov
(19) |
Dec
(18) |
2021 |
Jan
(49) |
Feb
(11) |
Mar
(18) |
Apr
(21) |
May
(66) |
Jun
(8) |
Jul
(35) |
Aug
(30) |
Sep
(10) |
Oct
(31) |
Nov
(4) |
Dec
(23) |
2022 |
Jan
(1) |
Feb
(16) |
Mar
(34) |
Apr
(6) |
May
(2) |
Jun
|
Jul
(1) |
Aug
(17) |
Sep
(1) |
Oct
(2) |
Nov
(4) |
Dec
(16) |
2023 |
Jan
(10) |
Feb
(39) |
Mar
(7) |
Apr
(44) |
May
(17) |
Jun
(20) |
Jul
|
Aug
(2) |
Sep
(10) |
Oct
(7) |
Nov
(3) |
Dec
(3) |
2024 |
Jan
(1) |
Feb
(10) |
Mar
(8) |
Apr
(1) |
May
(19) |
Jun
(15) |
Jul
(3) |
Aug
(5) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
From: Nick H. <ni...@ho...> - 2024-03-05 11:09:52
|
Why not just enable the nginx-http-auth config in jail.conf (using a jail.local, preferably)? On 05/03/2024 09:57, Jason Long via Fail2ban-users wrote: > Hello, > GitLab uses Nginx and PostgreSQL internally. I want to protect Nginx with Fail2Ban. The GitLab log directory contains the following files: > > # ls /var/log/gitlab/nginx/ > access.log config current error.log gitlab_access.log gitlab_access.log.1.gz gitlab_error.log lock > > > Is the following Fail2Ban configuration OK? > > [nginx-http-auth] > enabled = true > port = http,https > logpath = /var/log/gitlab/nginx/*error.log > findtime = 600 > bantime = 7200 > maxretry = 3 > > Thank you. > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Jason L. <hac...@ya...> - 2024-03-05 09:58:06
|
Hello, GitLab uses Nginx and PostgreSQL internally. I want to protect Nginx with Fail2Ban. The GitLab log directory contains the following files: # ls /var/log/gitlab/nginx/ access.log config current error.log gitlab_access.log gitlab_access.log.1.gz gitlab_error.log lock Is the following Fail2Ban configuration OK? [nginx-http-auth] enabled = true port = http,https logpath = /var/log/gitlab/nginx/*error.log findtime = 600 bantime = 7200 maxretry = 3 Thank you. |
From: James M. <moe...@sm...> - 2024-02-18 17:27:53
|
fail2ban 1.1.0.1 "fail2ban-client status <jail>" outputs this (less the banned list): Status for the jail: assp-1 |- Filter | |- Currently failed: 49 | |- Total failed: 59 | `- File list: /usr/local/bin/assp2/logs/maillog.txt `- Actions |- Currently banned: 1557 |- Total banned: 1558 AIUI the "Total" values are whatever has happened since the program started. I do not understand the "Currently" values. It shows a difference of 10 for "failed." Yet there is only a difference of 1 for "banned." What does the "Currently" value indicate? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. |
From: James M. <ji...@so...> - 2024-02-14 19:18:46
|
On 2024-02-14 09:06, 高井 進吾 via Fail2ban-users wrote: > The number of log files monitored based on the conditions listed in the > jail was 7200. > However, when I executed the following command on the server, counted > the files monitored by inotify, and extracted the Fail2ban process from > among them, the number of files was 8160. > Did you allow for duplicate entries? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. |
From: Arturo 'B. B. <bu...@bu...> - 2024-02-14 19:01:49
|
Wow. Sounds like a massive hosting. You might be better off creating either more servers or not concentrating log analysis that way. Regarding your specific query, I would claim the jail condition and the commands you use are naturally different. On Wed, Feb 14, 2024, 13:30 高井 進吾 via Fail2ban-users < fai...@li...> wrote: > Hi, > > I use Fail2ban to monitor logs for many domains. > The number of log files monitored based on the conditions listed in the > jail was 7200. > However, when I executed the following command on the server, counted > the files monitored by inotify, and extracted the Fail2ban process from > among them, the number of files was 8160. > > find /proc/*/fd -lname anon_inode:inotify -printf '%hinfo/%f\n' > 2>/dev/null | xargs grep -c '^inotify' | sort -n -t: -k2 -r > > What does this difference represent? > > Shingo Takai > > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: 高井 進吾 <s-...@bi...> - 2024-02-14 16:22:47
|
Hi, I use Fail2ban to monitor logs for many domains. The number of log files monitored based on the conditions listed in the jail was 7200. However, when I executed the following command on the server, counted the files monitored by inotify, and extracted the Fail2ban process from among them, the number of files was 8160. find /proc/*/fd -lname anon_inode:inotify -printf '%hinfo/%f\n' 2>/dev/null | xargs grep -c '^inotify' | sort -n -t: -k2 -r What does this difference represent? Shingo Takai |
From: Mike <t3...@ro...> - 2024-02-11 16:51:38
|
>On 2/10/2024 3:38 PM, Arturo 'Buanzo' Busleiman wrote: >>you most certainly can do this by defining a set of custom actions >>for ban/unban, etc. >>check the other actions that fail2ban has included for examples > >This is good to know. I'm surprised that somebody hasn't >already done this for the common small business firewalls >(e.g. Netgear, TP-Link, etc.). Another good compliment to fail2ban is an open source project called "login-shield": https://github.com/dpsystems/login-shield |
From: Jon F. <no...@gm...> - 2024-02-11 00:13:36
|
On 2/10/2024 3:38 PM, Arturo 'Buanzo' Busleiman wrote: > you most certainly can do this by defining a set of custom actions for > ban/unban, etc. > > check the other actions that fail2ban has included for examples This is good to know. I'm surprised that somebody hasn't already done this for the common small business firewalls (e.g. Netgear, TP-Link, etc.). Thanks, Jon |
From: Arturo 'B. B. <bu...@bu...> - 2024-02-11 00:08:49
|
you most certainly can do this by defining a set of custom actions for ban/unban, etc. check the other actions that fail2ban has included for examples On Sat, Feb 10, 2024, 20:31 Jon Forrest <no...@gm...> wrote: > > > On 2/10/2024 3:24 PM, Patrick Shanahan wrote: > > * Jon Forrest <no...@gm...> [02-10-24 18:19]: > >> Let's say fail2ban is working perfectly on my server. But, after > >> some thought, I decide that what I'd like fail2ban to do instead of > >> running iptables commands on the server would be to send equivalent > >> commands to my network firewall using ssh to the firewall's cli > >> interface. > >> > >> Ideally there would be some way of specifying what the commands > >> are for my brand of firewall. > >> > >> Is this possible? > > > > your firewall is no using iptables or equilivant? > > Let's assume it isn't running iptables. Instead it's running > something else that has cli commands that could do what's > necessary. > > Jon > > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Jon F. <no...@gm...> - 2024-02-10 23:26:38
|
On 2/10/2024 3:24 PM, Patrick Shanahan wrote: > * Jon Forrest <no...@gm...> [02-10-24 18:19]: >> Let's say fail2ban is working perfectly on my server. But, after >> some thought, I decide that what I'd like fail2ban to do instead of >> running iptables commands on the server would be to send equivalent >> commands to my network firewall using ssh to the firewall's cli >> interface. >> >> Ideally there would be some way of specifying what the commands >> are for my brand of firewall. >> >> Is this possible? > > your firewall is no using iptables or equilivant? Let's assume it isn't running iptables. Instead it's running something else that has cli commands that could do what's necessary. Jon |
From: Patrick S. <pa...@op...> - 2024-02-10 23:25:02
|
* Jon Forrest <no...@gm...> [02-10-24 18:19]: > Let's say fail2ban is working perfectly on my server. But, after > some thought, I decide that what I'd like fail2ban to do instead of > running iptables commands on the server would be to send equivalent > commands to my network firewall using ssh to the firewall's cli > interface. > > Ideally there would be some way of specifying what the commands > are for my brand of firewall. > > Is this possible? your firewall is no using iptables or equilivant? -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc |
From: Jon F. <no...@gm...> - 2024-02-10 23:10:51
|
Let's say fail2ban is working perfectly on my server. But, after some thought, I decide that what I'd like fail2ban to do instead of running iptables commands on the server would be to send equivalent commands to my network firewall using ssh to the firewall's cli interface. Ideally there would be some way of specifying what the commands are for my brand of firewall. Is this possible? Cordially, Jon Forrest |
From: Greg S. <gr...@sl...> - 2024-01-11 18:41:30
|
It's pretty hard to find any detail on this, so thought I'd ask here. I've got a use case where I need to whitelist a netblock, so I've done that. However I'd like to at least keep track of how many failures I get from that netblock - so I'd like the failures to show up in F2B logs, but not do the banning for that netblock. (That way I can generate an alert if a bunch of failures occur, outside of ordinary norms.) But it doesn't look like that happens. (F2B seems to completely ignore any failures from anything listed in ignoreip) Any suggestions? |
From: George W. <ge...@gr...> - 2023-12-09 22:57:42
|
I may have answered my own question. This works (in the filter file): backend = systemd journalmatch = SYSLOG_FACILITY=2 The trick was replacing the facility name (mail) with its decimal number (2). This seems really poor to me. No one uses these numbers and I'm not convinced they are even immutable or constant across systems. Journalctl does support using facility names with the --facility= option as shown below, so there should be some way for fail2ban to use the facility name, rather than resorting to this. If any of you know a better way, please let me know. Cheers, --George On 12/9/23 3:30 PM, George Welch wrote: > Howdy, > > I am developing a custom fail2ban filter for a daemon that logs to syslog. I am using Debian 12, so syslog is handled by systemd. If I dump a syslog facilty to a file: > > # journalctl --facility=mail --output=short-full --no-tail >test.log > > and then test my filter with > > # fail2ban-regex test.log myfilter.conf > > Then it seems to work well. At least it seems to match the correct lines. > > But of course I don't want to dump the journal to a file. So how can I tell fail2ban to look into the syslog when it is handled by systemd? I know that if a daemon logs directly to systemd, then you can do this: > > backend = systemd > journalmatch = _SYSTEMD_UNIT=mydaemon.service > > But this daemon logs to syslog, so that does not work. > > As a guess, I tried changing that to > > journalmatch = _SYSTEMD_FACILIY=mail > > but of course that was a bad guess. > > Can you tell me how to tell fail2ban which syslog facility to follow? > > Thanks, > > --George > > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: George W. <ge...@gr...> - 2023-12-09 21:51:26
|
Howdy, I am developing a custom fail2ban filter for a daemon that logs to syslog. I am using Debian 12, so syslog is handled by systemd. If I dump a syslog facilty to a file: # journalctl --facility=mail --output=short-full --no-tail >test.log and then test my filter with # fail2ban-regex test.log myfilter.conf Then it seems to work well. At least it seems to match the correct lines. But of course I don't want to dump the journal to a file. So how can I tell fail2ban to look into the syslog when it is handled by systemd? I know that if a daemon logs directly to systemd, then you can do this: backend = systemd journalmatch = _SYSTEMD_UNIT=mydaemon.service But this daemon logs to syslog, so that does not work. As a guess, I tried changing that to journalmatch = _SYSTEMD_FACILIY=mail but of course that was a bad guess. Can you tell me how to tell fail2ban which syslog facility to follow? Thanks, --George |
From: Arturo 'B. B. <bu...@bu...> - 2023-12-06 12:13:59
|
Hello team, So, I have these kinds of lines on the zimbra 9 auth log: Dec 5 15:43:30 mx20 mailbox-log 2023-12-02 11:13:20,110 INFO [qtp1059063940-46725701://localhost:8080/service/soap/BatchRequest] [name= xx...@xx...;oip=1.2.3.4, 5.6.7.8;ua=zclient/9.0.0_GA_4564;soapId=612ef133;] account - Error occurred during authentication: authentication failed for [cjq]. Reason: invalid password. oip can have many IPs, but the first one (1.2.3.4 in example) is the valid one. After many failed attempts, failures when trying to compile the regex when testing with fail2ban-regex. FInally, I tested this "maximum simplicity" one 'oip=<HOST>[,;].*invalid password' Any advice? Do I also need to create a dateformat? I dont think so considering the second date column, but.... Thanks! Buanzo |
From: Darac M. <mai...@da...> - 2023-11-15 14:20:46
|
On 13/11/2023 17:48, seb...@de... wrote: > Good evening > > fail2ban's standard customizing assumes the existence of log files > /var/log/mail.log or /var/log/access.log. > > With debian 12, these log files are no longer available in the > standard customizing - everything runs via journalctl. Note that, while this is strictly true (the /default/ is not to install a syslog daemon), such a default should not be interpreted by the Debian developers as a deprecation of the standard syslog protocol. From the Debian Release notes <https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#changes-to-system-logging>: > The |rsyslog|package is no longer needed on most systems and you may > be able to remove it. > > Many programs produce log messages to inform the user of what they are > doing. These messages can be managed by systemd's “journal” or by a > “syslog daemon” such as |rsyslog|. > So, the implication here is that "journalctl" has become good enough for most uses, but every system is different. Some people want a graphical frontend, some don't; some want a web browser, some don't; some people want to use fail2ban, some people want to use crowdsec, some people are fine with a static firewall config. These are all valid choices. Note that, in Debian, fail2ban already "suggests" the "system-log-daemon" virtual package. This means that you (as the system administrator) can add any of the valid syslog daemons if you want to make use of that functionality. > > Do any of you have a tutorial about “fail2ban with journalctl”? > > greetings & thanks > Sebastian > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Tim B. <ti...@bo...> - 2023-11-14 09:28:44
|
Hello! Am Montag, dem 13.11.2023 um 18:48 +0100 schrieb seb...@de...: > > With debian 12, these log files are no longer available in the > standard > customizing - everything runs via journalctl. Logging output can usually be customized in the configuration files of the daemon. Which SMTP server are you running? My servers are mostly running postfix in Debian/bookworm which logs to /var/log/mail.log out of the box. My Debian notebook HAS auth.log despite there being no ssh service running. Are you on stable, testing , unstable? Cheers & bis bald, tim -- F: Welches Ereignis nahm am 06.12.1933 in Berlin seinen Lauf? A: Nikolaus |
From: <seb...@de...> - 2023-11-13 18:07:40
|
Good evening fail2ban's standard customizing assumes the existence of log files /var/log/mail.log or /var/log/access.log. With debian 12, these log files are no longer available in the standard customizing - everything runs via journalctl. Do any of you have a tutorial about “fail2ban with journalctl”? greetings & thanks Sebastian |
From: <ia...@pe...> - 2023-10-30 06:56:36
|
Hello friends, I am using nftables in Debian12 and I have modified my file "/etc/nftables.conf" to add commands that block a segment of unwanted addresses, but when Fail2ban is executed these orders are eliminated: how can I add an order that does not be eliminated by fail2ban? table inet filter { chain input { type filter hook input priority filter; # CENSYS me está escaneando y los voy a dropear: ip saddr [EXAMPLE_NETWORK]/[EXAMPLE_PREFIX] drop } ... Thanks. |
From: John W. <wil...@gm...> - 2023-10-20 15:12:31
|
Here I use, [Definition] failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$ ignoreregex = Kind regards, John Willemse LinkedIn: https://www.linkedin.com/in/willemsej/ Twitter: https://twitter.com/willemsej/ Op do 19 okt 2023 om 23:03 schreef James Moe via Fail2ban-users < fai...@li...>: > On 10/19/23 4:49 AM, Marcel Blenkers wrote: > > The Logfile looks like this: > > Oct 16 15:49:02 localhost cabc0b82e7f9[424]: 192.168.10.10 - - > > [16/Oct/2023:13:49:02 +0000] "GET > > /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 > > 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) > > Gecko/20100101 Firefox/116.0" "-" > > Try this: > > fail2reg = ^.* <HOST> .* HTTP/.* (403|404).* > > > -- > > > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: James M. <moe...@sm...> - 2023-10-19 21:02:31
|
On 10/19/23 4:49 AM, Marcel Blenkers wrote: > The Logfile looks like this: > Oct 16 15:49:02 localhost cabc0b82e7f9[424]: 192.168.10.10 - - > [16/Oct/2023:13:49:02 +0000] "GET > /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 > 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) > Gecko/20100101 Firefox/116.0" "-" Try this: fail2reg = ^.* <HOST> .* HTTP/.* (403|404).* -- |
From: Peter H. <mai...@ma...> - 2023-10-19 18:09:58
|
Am 19.10.2023 um 18:52 schrieb Marcel Blenkers: > Hi Peter, > > thanks for the reply. > > Unfortunatly i forgot something > > i changed the ip for datapeotection > > the ip 192.168.10.10 <http://192.168.10.10> is actually the ip which > is accessing the webserver. > > so it shows the correct ip, just not in my posting as i changed the ip > > it is really the ip i need to block > > greetings > > Marcel OK lets have look: > complete file: > # Fail2Ban filter to match web requests for selected URLs that don't > exist > # > [INCLUDES] > # Load regexes for filtering > before = botsearch-common.conf > [Definition] > failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> > \S+\" 404 .+$ > ignoreregex = > > # DEV Notes: > # Based on apache-botsearch filter > # > # Author: Frantisek Sumsal I would use a copy of existing filter nginx-botsearch.conf as nginx-botsearch.local on my centos 8 stream: # Fail2Ban filter to match web requests for selected URLs that don't exist # [INCLUDES] # Load regexes for filtering before = botsearch-common.conf [Definition] failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$ ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$ ignoreregex = datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? ^[^\[]*\[({DATE}) {^LN-BEG} journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx # DEV Notes: # Based on apache-botsearch filter # # Author: Frantisek Sumsal just seen: @web.de - 2hours difference to UTC geändert auf: failregex = ^<HOST> \- \S+ \[[^\]]*\] \"(GET|POST|HEAD) \/<block> \S+\" 40[34] .+$ Datepattern sollte in der 2. Zeile matchen ^[^\[]*\[({DATE}) ^ - Zeilenstart ^[^\[] - alle Zeichen außer "[" * 0- bis beliebig viele davon \[ - das Zeichen "[" ( ist vor dem 2. Datum / Zeit in UTC ) ({DATE}) - das fängt dann Datum und Urzeit. Zum failregex: Bei dir \S+ \[\] \"(GET erfordert [], ist bei dir aber [16/Oct/2023:13:49:02 +0000] ---> kein match, nie \[[^\]]*\] ist \[ "[" [^\]] - alle Zeichen, die nicht "]" sind * 0 bis beliebig viele davon. \] "]" Es könnte sein, dass du ein Problem bekommst, weil das 2. Datum/Zeit in UTC ist, das Log selbst aber in MESZ. IIRC wird +0000 aber beachtet, so dass die Chancen gut sind. Prüfe aber bitte im log, ob die Zeit korrekt erkannt wird. 40[34] erfasst die Fehler 403 und 404 Ich hatte dein (403|404) so verstanden, dass das gewünscht ist. Willst du nur 404 bleibt, es bei 404 Grüße aus Berlin |
From: Marcel B. <mar...@we...> - 2023-10-19 16:57:40
|
<!doctype html> <html> <head> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Type" content="text/vnd.ui.insecure+html;charset=utf-8"> </head> <body style="overflow-wrap:break-word; word-break: break-word;"><div class="mail_android_message" style="line-height: 1; padding: 0.5em">Hi Peter, <br/><br/>thanks for the reply. <br/><br/>Unfortunatly i forgot something<br/><br/>i changed the ip for datapeotection<br/><br/>the ip <a href="http://192.168.10.10">192.168.10.10</a> is actually the ip which is accessing the webserver.<br/><br/>so it shows the correct ip, just not in my posting as i changed the ip<br/><br/>it is really the ip i need to block<br/><br/>greetings<br/><br/>Marcel<br/><br/>--<br/>Diese Nachricht wurde von meinem Android Mobiltelefon mit <a href="http://WEB.DE">WEB.DE</a> Mail gesendet.</div><div class="mail_android_quote" style="line-height: 1; padding: 0.3em"><html><body>Am 19.10.23, 18:35 schrieb Peter Heirich <mai...@ma...>:</body></html><blockquote class="gmail_quote" style="margin: 0.8ex 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> I think, you are not aware, what 192.168.10.y means. <br> <br> this is the IP-address seen inside the docker container. This IP is created by NAT on your host. <br> <br> If you block them, you are not blocking access from outside to your host, but blocking the way back from docker container to your host internal. This is output from nginx inside docker, not input. <br> <br> Of course, you can manualy set up a more sophisticated version, but consider this: <br> docker-daemon is changeging the iptables. if you start runing a docker container, usualy iptables is used to add rules to setup NAT. <br> <br> there is a --ip-tables option to dockerd, which prevents the iptables rules from changeing by dockerd, but in most cases i tried, that causes malfunction. <br> <br> if you are runing firewalld there is a zone docker added IIRC, but i not realy know about. <br> <br> My advise would be, not to verify the log of nginx inside the docker. <br> <br> nginx is able to run as a reverse proxy. You probably shhould choose a setup <br> <br> outside --> nginx (reverse proxy) --> NAT --> docker --> nginx (webserver) <br> <br> such a setup is often used for large sites. On them not only 1 nginx(webserver) instances is runing, but a lot of them on different hosts. <br> <br> In most cases, creating a webside by php, perl or other script language need a lot of time. Only to get the answer from a webserver and deliver this to outside is just some kind of copy. however, because caching within reverse proxy, static objects, like .jpg are cached there. So the real webserver has not to serve ( depends on cache-header config), but only once a day or week. <br> <br> However, the logs of the reverse proxy contains the real outside addresses in log and of course the 404 answer generated by real webserver. <br> <br> From this point of view it is just a normal setup runing nginx as webserver, but using "proxy-pass" instead "try-files" within the location rule. <br> <br> Peter <br> <br> <div class="moz-cite-prefix"> Am 19.10.2023 um 13:49 schrieb Marcel Blenkers: <br> </div> <blockquote> <div style="font-family: Verdana;font-size: 12.0px;"> <div> Hello everyone, </div> <div> </div> <div> i am in the need for some help, as i want to create a new filter. </div> <div> </div> <div> Setup: </div> <div> </div> <div> We are running a nginx-Server in a docker-container and on the system itself a fail2ban-installation. </div> <div> </div> <div> The Docker-Container writes via syslog-module into a file the content of the nginx-Logs and we want to check those logs for repeating 404-error and block those ips, which are creating those entries </div> <div> </div> <div> The Logfile looks like this: </div> <div> </div> <div> <div> Oct 16 15:49:02 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-" </div> <div> <div> Oct 16 15:49:03 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-" </div> <div> Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-" </div> <div> Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:48:56 +0000] "GET /en_UK/theme_clarico/static/src/fileadmin/package/fonts/open-sans/Open_Sans_800.ttf HTTP/1.1" 404 2646 "/web/content/3223-5ddd78d/1/web.assets_frontend.1.css" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0" "-" </div> <div> </div> <div> As you can see, we need to block the IP 192.168.10.10 or any other ip which are found on that position. </div> <div> </div> <div> I tried: </div> <div> </div> <div> <div> failregex = ^.+?(?=: ) <HOST>.*"(GET|POST).*" (403|404) .*$ </div> <div> </div> <div> </div> <div> or </div> <div> </div> <div> <div> failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$ </div> <div> </div> <div> </div> <div> complete file: </div> <div> </div> <div> <div> # Fail2Ban filter to match web requests for selected URLs that don't exist <br> # </div> <div> [INCLUDES] </div> <div> # Load regexes for filtering <br> before = botsearch-common.conf </div> <div> [Definition] </div> <div> failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$ </div> <div> ignoreregex = </div> <div> <br> # DEV Notes: <br> # Based on apache-botsearch filter <br> # <br> # Author: Frantisek Sumsal </div> <div> </div> <div> </div> <div> fail2ban-regex: </div> <div> </div> <div> <div> Running tests <br> ============= </div> <div> Use failregex filter file : nginx-docker, basedir: /etc/fail2ban <br> Use log file : /root/nginx.log.2 <br> Use encoding : UTF-8 </div> <div> <br> Results <br> ======= </div> <div> Failregex: 0 total </div> <div> Ignoreregex: 0 total </div> <div> Date template hits: <br> |- [# of hits] date format <br> | [994] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? <br> `- </div> <div> Lines: 994 lines, 0 ignored, 0 matched, 994 missed <br> [processed in 0.06 sec] </div> <div> Missed line(s): too many to print. Use --print-all-missed to print all 994 lines </div> <div> </div> </div> </div> </div> </div> <div> </div> <div> </div> <div> Could someone please point me in the right direction for the failregex? </div> <div> </div> <div> Thanks in advance! </div> <div> </div> <div> Greetings </div> <div> </div> <div> Marcel </div> <div> </div> <div> </div> </div> </div> </div> <br> <br> <pre class="moz-quote-pre">_______________________________________________ Fail2ban-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Fai...@li...">Fai...@li...</a> <a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/fail2ban-users">https://lists.sourceforge.net/lists/listinfo/fail2ban-users</a> </pre> </blockquote> <br> </blockquote></div></body> </html> |
From: Peter H. <mai...@ma...> - 2023-10-19 16:53:27
|
I think, you are not aware, what 192.168.10.y means. this is the IP-address seen inside the docker container. This IP is created by NAT on your host. If you block them, you are not blocking access from outside to your host, but blocking the way back from docker container to your host internal. This is output from nginx inside docker, not input. Of course, you can manualy set up a more sophisticated version, but consider this: docker-daemon is changeging the iptables. if you start runing a docker container, usualy iptables is used to add rules to setup NAT. there is a --ip-tables option to dockerd, which prevents the iptables rules from changeing by dockerd, but in most cases i tried, that causes malfunction. if you are runing firewalld there is a zone docker added IIRC, but i not realy know about. My advise would be, not to verify the log of nginx inside the docker. nginx is able to run as a reverse proxy. You probably shhould choose a setup outside --> nginx (reverse proxy) --> NAT --> docker --> nginx (webserver) such a setup is often used for large sites. On them not only 1 nginx(webserver) instances is runing, but a lot of them on different hosts. In most cases, creating a webside by php, perl or other script language need a lot of time. Only to get the answer from a webserver and deliver this to outside is just some kind of copy. however, because caching within reverse proxy, static objects, like .jpg are cached there. So the real webserver has not to serve ( depends on cache-header config), but only once a day or week. However, the logs of the reverse proxy contains the real outside addresses in log and of course the 404 answer generated by real webserver. From this point of view it is just a normal setup runing nginx as webserver, but using "proxy-pass" instead "try-files" within the location rule. Peter Am 19.10.2023 um 13:49 schrieb Marcel Blenkers: > Hello everyone, > i am in the need for some help, as i want to create a new filter. > Setup: > We are running a nginx-Server in a docker-container and on the system > itself a fail2ban-installation. > The Docker-Container writes via syslog-module into a file the content > of the nginx-Logs and we want to check those logs for repeating > 404-error and block those ips, which are creating those entries > The Logfile looks like this: > Oct 16 15:49:02 localhost cabc0b82e7f9[424]: 192.168.10.10 - - > [16/Oct/2023:13:49:02 +0000] "GET > /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 > 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) > Gecko/20100101 Firefox/116.0" "-" > Oct 16 15:49:03 localhost cabc0b82e7f9[424]: 192.168.10.10 - - > [16/Oct/2023:13:49:02 +0000] "GET > /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 > 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) > Gecko/20100101 Firefox/116.0" "-" > Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - - > [16/Oct/2023:13:49:02 +0000] "GET > /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 > 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) > Gecko/20100101 Firefox/116.0" "-" > Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - - > [16/Oct/2023:13:48:56 +0000] "GET > /en_UK/theme_clarico/static/src/fileadmin/package/fonts/open-sans/Open_Sans_800.ttf > HTTP/1.1" 404 2646 > "/web/content/3223-5ddd78d/1/web.assets_frontend.1.css" "Mozilla/5.0 > (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0" "-" > As you can see, we need to block the IP 192.168.10.10 or any other ip > which are found on that position. > I tried: > failregex = ^.+?(?=: ) <HOST>.*"(GET|POST).*" (403|404) .*$ > or > failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> > \S+\" 404 .+$ > complete file: > # Fail2Ban filter to match web requests for selected URLs that don't exist > # > [INCLUDES] > # Load regexes for filtering > before = botsearch-common.conf > [Definition] > failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> > \S+\" 404 .+$ > ignoreregex = > > # DEV Notes: > # Based on apache-botsearch filter > # > # Author: Frantisek Sumsal > fail2ban-regex: > Running tests > ============= > Use failregex filter file : nginx-docker, basedir: /etc/fail2ban > Use log file : /root/nginx.log.2 > Use encoding : UTF-8 > > Results > ======= > Failregex: 0 total > Ignoreregex: 0 total > Date template hits: > |- [# of hits] date format > | [994] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: > Year)? > `- > Lines: 994 lines, 0 ignored, 0 matched, 994 missed > [processed in 0.06 sec] > Missed line(s): too many to print. Use --print-all-missed to print > all 994 lines > Could someone please point me in the right direction for the failregex? > Thanks in advance! > Greetings > Marcel > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |