From: Davide P. <per...@dp...> - 2013-10-07 10:51:29
|
Thanks for the answer. Here some info: Name : fail2ban Relocations: (not relocatable) Version : 0.8.10 Vendor: Fedora Project Release : 3.el6 Build Date: Wed 28 Aug 2013 08:07:35 PM CEST Install Date: Thu 19 Sep 2013 02:08:13 PM CEST Build Host: buildvm-07.phx2.fedoraproject.org Group : System Environment/Daemons Source RPM: fail2ban-0.8.10-3.el6.src.rpm Il 07/10/2013 12:48, Arturo 'Buanzo' Busleiman ha scritto: > > What is your fail2ban version? > > On Oct 7, 2013 5:46 AM, "Davide Perini" <per...@dp... > <mailto:per...@dp...>> wrote: > > Hi, > I am using fail2ban with SSLH, a multiplexer that listen on port > 443 for SSH and HTTPS connection and redirects connections to the > correct port. > > fail2ban works ok but I have this worning with the squirrelmail rules. > <28>fail2ban.filter : WARNING Unable to find a corresponding IP > address for ::1 > > the strange things is that the IP address in the log that fail2ban > is analyzing is written correctly, I find the real IP of the > person who is connecting and not ::1... > > Any idea? > > fail2ban works with all rules now but not with the squirrelmail one: > squirrelmail.conf > *Code:* > [Definition] > > failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password > incorrect > ignoreregex = > > > jail.conf > *Code:* > [squirrelmail-iptables] > enabled = true > filter = squirrelmail > action = iptables-multiport[name=squirrelmail, > port="http,https,socks"] > action = iptables-multiport[name=squirrelmail, > port="http,https,socks"] > sendmail-whois[name=SquirrelMail, dest=myemail, > sender=myemail] > logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log > > > the /var/lib/squirrelmail/prefs/squirrelmail_access_log > *Code:* > 10/06/2013 15:50:41 [LOGIN_ERROR] dadas (mydomain.org > <http://mydomain.org>) from 151.64.44.xx: Unknown user or password > incorrect. > > > the command: > fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log > /etc/fail2ban/filter.d/squirrelmail.conf > *Code:* > Running tests > ============= > > Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf > Use log file : /var/lib/squirrelmail/prefs/squirrelmail_access_log > > Matched time template Day/Month/Year Hour:Minute:Second > Got time using template Day/Month/Year Hour:Minute:Second > Matched time template Day/Month/Year Hour:Minute:Second > Got time using template Day/Month/Year Hour:Minute:Second > Matched time template Day/Month/Year Hour:Minute:Second > Got time using template Day/Month/Year Hour:Minute:Second > Matched time template Day/Month/Year Hour:Minute:Second > Got time using template Day/Month/Year Hour:Minute:Second > Matched time template Day/Month/Year Hour:Minute:Second > Got time using template Day/Month/Year Hour:Minute:Second > > Results > ======= > > Failregex: 5 total > |- #) [# of hits] regular expression > | 1) [5] \[LOGIN_ERROR\].*from <HOST>: Unknown user or password > incorrect > `- > > Ignoreregex: 0 total > > Summary > ======= > > Addresses found: > [1] > 151.64.44.xx (Mon Jun 10 15:49:43 2013) > 151.64.44.xx (Mon Jun 10 15:50:14 2013) > 151.64.44.xx (Mon Jun 10 15:50:26 2013) > 151.64.44.xx (Mon Jun 10 15:50:41 2013) > 151.64.44.xx (Mon Jun 10 16:05:23 2013) > > Date template hits: > 10 hit(s): Day/Month/Year Hour:Minute:Second > > Success, the total number of match is 5 > > However, look at the above section 'Running tests' which could > contain important > information. > > > Any idea on why I get that warning and why it not ban the > squirrelmail errors? > THANKS! > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get > the most from > the latest Intel processors and coprocessors. See abstracts and > register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > <mailto:Fai...@li...> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |