[Fail2ban-users] Fail2ban partially working

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I've set up fail2ban on a centos server and everything is working fine 
for my ssh jail (i am receiving alerts and shorewall is banning ips) but 
somehow, my 2 others, vsftpd and smtp, are processed (I can that they 
are by monitoring the log upon startup) but never seems to notice any 
failed logging attempt thus, never taking actions.

I have used fail2ban-regex to be sure that my regex were good and they are.

For example, let's take my vsftpd jail :

*jail status* (it never changes)

[root@gw fail2ban]# fail2ban-client status vsftpd6
Status for the jail: vsftpd6
|- filter
|  |- File list:    /mnt/syslog/10.1.0.6/vsftpd.log
|  |- Currently failed:    0
|  `- Total failed:    0
`- action
    |- Currently banned:    0
    |  `- IP list:
    `- Total banned:    0

*jail.local content*

[vsftpd6]

enabled = true
filter = vsftpd
action = shorewall
                sendmail-whois[name=VSFTPD, dest=it...@ja...]
logpath = /mnt/syslog/10.1.0.6/vsftpd.log
maxretry = 2
bantime = -1

*vsftpd filter regex*

failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication 
failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
             \[.+\] FAIL LOGIN: Client "<HOST>"\s*$

*Sample of the vsftpd logfile*

[root@gw fail2ban]# tail /mnt/syslog/10.1.0.6/vsftpd.log
Dec  6 10:10:44 ara vsftpd[3673]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:13:26 ara vsftpd[3763]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:22:03 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:22:51 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:25:24 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:25:29 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:35:05 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:35:47 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:38:02 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:47:16 ara vsftpd[4622]: [yan] FAIL LOGIN: Client "24.100.220.57"

*fail2ban-regex results*

fail2ban-regex /mnt/syslog/10.1.0.6/vsftpd.log '\[.+\] FAIL LOGIN: 
Client "<HOST>"\s*$'

Date template hits:
723 hit(s): MONTH Day Hour:Minute:Second

Success, the total number of match is 308

I've been searching for hours but cannot find anything.

Any help will be appreciated.