Re: [Fail2ban-users] No ban

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900


On 26 June 2014 07:12:43 BST, Thomas Buschhardt <bus...@gm...> wrote:
>Hallo, please help me out with my configuration, I dont see a ban.
>
>I run a webserver Webrick on port 4567 and that is my files.
>
>filter.d/webrick.local
>------
>[Definition]
>
>failregex = ^<HOST> - - \[.*\] .*"GET .*\.php.*" 404 .*$
>            ^<HOST> - - \[.*\] .*/phppath/php.*" 404 .*$
>            ^<HOST> - - \[.*\] .*GET /cgi-bin/php .*" 400 .*$
>            ^<HOST> - - \[.*\] .*/w00tw00t.*" 404 .*$
>            ^<HOST> - - \[.*\] .*/user/soapCaller.bs.*" 404 .*$
>
>ignoreregex =
>-------
>
>I test it with fail2ban-regex for some requests like:
>180.143.202.229 - - [25/Jun/2014 08:30:37] "GET /test2.php HTTP/1.1"
>404 26
>0.0016
>---------
>fail2ban-regex '180.143.202.229 - - [25/Jun/2014 08:30:37] "GET
>/test2.php
>HTTP/1.1" 404 26 0.0016' /etc/fail2ban/filter.d/webrick.local
>
>Running tests
>=============
>
>Use   failregex file : /etc/fail2ban/filter.d/webrick.local
>Use      single line : 180.143.202.229 - - [25/Jun/2014 08:30:37] "GET
>/t...
>
>
>Results
>=======
>
>Failregex: 1 total
>|-  #) [# of hits] regular expression
>|   1) [1] ^<HOST> - - \[.*\] .*"GET .*\.php.*" 404 .*$
>`-
>
>Ignoreregex: 0 total
>
>Date template hits:
>|- [# of hits] date format
>|  [1] Day/MONTH/Year Hour:Minute:Second
>`-
>
>Lines: 1 lines, 0 ignored, 1 matched, 0 missed
>--------
>
>As jail I edit /etc/fail2ban/jail.local
>-------
>[webrick]
>
>enabled   = true
>port      = 4567
>filter    = webrick
>logpath   = /home/thomas/pid/webserver.output
>maxretry  = 6
>action   = iptables[name=webrick, port=4567, protocol=tcp]
>-------
>
>After restart I get in /var/log/fail2ban.log
>-------
>2014-06-26 08:03:14,928 fail2ban.jail   [5337]: INFO    Creating new
>jail
>'webrick'
>2014-06-26 08:03:14,929 fail2ban.jail   [5337]: INFO    Jail 'webrick'
>uses
>poller
>2014-06-26 08:03:14,930 fail2ban.jail   [5337]: INFO    Initiated
>'polling'
>backend
>2014-06-26 08:03:14,931 fail2ban.filter [5337]: INFO    Added logfile =
>/home/thomas/pid/webserver.output
>2014-06-26 08:03:14,932 fail2ban.filter [5337]: INFO    Set maxRetry =
>6
>2014-06-26 08:03:14,935 fail2ban.filter [5337]: INFO    Set findtime =
>600
>2014-06-26 08:03:14,936 fail2ban.actions[5337]: INFO    Set banTime =
>900
>2014-06-26 08:03:14,976 fail2ban.jail   [5337]: INFO    Jail 'webrick'
>started
>-------
>
>Now I capture that the log has no ban of this line:
>
>180.143.202.229 - - [26/Jun/2014 08:06:50] "GET /test6.php HTTP/1.1"
>404 26
>0.0015
>
>When I run:
>"fail2ban-client status":
>Status
>|- Number of jail:      2
>`- Jail list:           webrick, ssh
>
>"fail2ban-client status webrick"
>Status for the jail: webrick
>|- filter
>|  |- File list:        /home/thomas/pid/webserver.output
>|  |- Currently failed: 3
>|  `- Total failed:     4
>`- action
>   |- Currently banned: 0
>   |  `- IP list:
>   `- Total banned:     0
>
>What I do wrong?
>
>Thank you
>Thomas
>
Thomas,

It looks like from the status you've only had 4 failures with 3 current opens. You configuration is set to require 6 (maxretry) failures within 10 minutes (findtime) before a ban will take place.
--
Steven Hiscocks