From: Steven H. <ste...@hi...> - 2014-06-26 07:48:13
|
On 26 June 2014 07:12:43 BST, Thomas Buschhardt <bus...@gm...> wrote: >Hallo, please help me out with my configuration, I dont see a ban. > >I run a webserver Webrick on port 4567 and that is my files. > >filter.d/webrick.local >------ >[Definition] > >failregex = ^<HOST> - - \[.*\] .*"GET .*\.php.*" 404 .*$ > ^<HOST> - - \[.*\] .*/phppath/php.*" 404 .*$ > ^<HOST> - - \[.*\] .*GET /cgi-bin/php .*" 400 .*$ > ^<HOST> - - \[.*\] .*/w00tw00t.*" 404 .*$ > ^<HOST> - - \[.*\] .*/user/soapCaller.bs.*" 404 .*$ > >ignoreregex = >------- > >I test it with fail2ban-regex for some requests like: >180.143.202.229 - - [25/Jun/2014 08:30:37] "GET /test2.php HTTP/1.1" >404 26 >0.0016 >--------- >fail2ban-regex '180.143.202.229 - - [25/Jun/2014 08:30:37] "GET >/test2.php >HTTP/1.1" 404 26 0.0016' /etc/fail2ban/filter.d/webrick.local > >Running tests >============= > >Use failregex file : /etc/fail2ban/filter.d/webrick.local >Use single line : 180.143.202.229 - - [25/Jun/2014 08:30:37] "GET >/t... > > >Results >======= > >Failregex: 1 total >|- #) [# of hits] regular expression >| 1) [1] ^<HOST> - - \[.*\] .*"GET .*\.php.*" 404 .*$ >`- > >Ignoreregex: 0 total > >Date template hits: >|- [# of hits] date format >| [1] Day/MONTH/Year Hour:Minute:Second >`- > >Lines: 1 lines, 0 ignored, 1 matched, 0 missed >-------- > >As jail I edit /etc/fail2ban/jail.local >------- >[webrick] > >enabled = true >port = 4567 >filter = webrick >logpath = /home/thomas/pid/webserver.output >maxretry = 6 >action = iptables[name=webrick, port=4567, protocol=tcp] >------- > >After restart I get in /var/log/fail2ban.log >------- >2014-06-26 08:03:14,928 fail2ban.jail [5337]: INFO Creating new >jail >'webrick' >2014-06-26 08:03:14,929 fail2ban.jail [5337]: INFO Jail 'webrick' >uses >poller >2014-06-26 08:03:14,930 fail2ban.jail [5337]: INFO Initiated >'polling' >backend >2014-06-26 08:03:14,931 fail2ban.filter [5337]: INFO Added logfile = >/home/thomas/pid/webserver.output >2014-06-26 08:03:14,932 fail2ban.filter [5337]: INFO Set maxRetry = >6 >2014-06-26 08:03:14,935 fail2ban.filter [5337]: INFO Set findtime = >600 >2014-06-26 08:03:14,936 fail2ban.actions[5337]: INFO Set banTime = >900 >2014-06-26 08:03:14,976 fail2ban.jail [5337]: INFO Jail 'webrick' >started >------- > >Now I capture that the log has no ban of this line: > >180.143.202.229 - - [26/Jun/2014 08:06:50] "GET /test6.php HTTP/1.1" >404 26 >0.0015 > >When I run: >"fail2ban-client status": >Status >|- Number of jail: 2 >`- Jail list: webrick, ssh > >"fail2ban-client status webrick" >Status for the jail: webrick >|- filter >| |- File list: /home/thomas/pid/webserver.output >| |- Currently failed: 3 >| `- Total failed: 4 >`- action > |- Currently banned: 0 > | `- IP list: > `- Total banned: 0 > >What I do wrong? > >Thank you >Thomas > Thomas, It looks like from the status you've only had 4 failures with 3 current opens. You configuration is set to require 6 (maxretry) failures within 10 minutes (findtime) before a ban will take place. -- Steven Hiscocks |