From: Denny J. <lhw...@ao...> - 2013-12-06 19:04:32
|
Woo Hoo! Glad I could help. -----Original Message----- From: Yan Hudon <ya...@ja...> To: fail2ban-users <fai...@li...> Sent: Fri, Dec 6, 2013 10:21 am Subject: [Fail2ban-users] Fail2ban partially working Hi, I've set up fail2ban on a centos server and everything is working fine for my ssh jail (i am receiving alerts and shorewall is banning ips) but somehow, my 2 others, vsftpd and smtp, are processed (I can that they are by monitoring the log upon startup) but never seems to notice any failed logging attempt thus, never taking actions. I have used fail2ban-regex to be sure that my regex were good and they are. For example, let's take my vsftpd jail : jail status (it never changes) [root@gw fail2ban]# fail2ban-client status vsftpd6 Status for the jail: vsftpd6 |- filter | |- File list: /mnt/syslog/10.1.0.6/vsftpd.log | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0 jail.local content [vsftpd6] enabled = true filter = vsftpd action = shorewall sendmail-whois[name=VSFTPD, dest=it...@ja...] logpath = /mnt/syslog/10.1.0.6/vsftpd.log maxretry = 2 bantime = -1 vsftpd filter regex failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ \[.+\] FAIL LOGIN: Client "<HOST>"\s*$ Sample of the vsftpd logfile [root@gw fail2ban]# tail /mnt/syslog/10.1.0.6/vsftpd.log Dec 6 10:10:44 ara vsftpd[3673]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:13:26 ara vsftpd[3763]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:22:03 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:22:51 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:25:24 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:25:29 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:35:05 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:35:47 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:38:02 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:47:16 ara vsftpd[4622]: [yan] FAIL LOGIN: Client "24.100.220.57" fail2ban-regex results fail2ban-regex /mnt/syslog/10.1.0.6/vsftpd.log '\[.+\] FAIL LOGIN: Client "<HOST>"\s*$' Date template hits: 723 hit(s): MONTH Day Hour:Minute:Second Success, the total number of match is 308 I've been searching for hours but cannot find anything. Any help will be appreciated. ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |