Menu
▾
▴
Re: [Fail2ban-users] No ban
|
From: Thomas B. <bus...@gm...> - 2014-06-27 10:42:14
|
Dear Steven, thank you very much. 2014-06-26 9:48 GMT+02:00 Steven Hiscocks < ste...@hi...>: > > > On 26 June 2014 07:12:43 BST, Thomas Buschhardt <bus...@gm...> > wrote: > >Hallo, please help me out with my configuration, I dont see a ban. > > > >I run a webserver Webrick on port 4567 and that is my files. > > > >filter.d/webrick.local > >------ > >[Definition] > > > >failregex = ^<HOST> - - \[.*\] .*"GET .*\.php.*" 404 .*$ > > ^<HOST> - - \[.*\] .*/phppath/php.*" 404 .*$ > > ^<HOST> - - \[.*\] .*GET /cgi-bin/php .*" 400 .*$ > > ^<HOST> - - \[.*\] .*/w00tw00t.*" 404 .*$ > > ^<HOST> - - \[.*\] .*/user/soapCaller.bs.*" 404 .*$ > > > >ignoreregex = > >------- > > > >I test it with fail2ban-regex for some requests like: > >180.143.202.229 - - [25/Jun/2014 08:30:37] "GET /test2.php HTTP/1.1" > >404 26 > >0.0016 > >--------- > >fail2ban-regex '180.143.202.229 - - [25/Jun/2014 08:30:37] "GET > >/test2.php > >HTTP/1.1" 404 26 0.0016' /etc/fail2ban/filter.d/webrick.local > > > >Running tests > >============= > > > >Use failregex file : /etc/fail2ban/filter.d/webrick.local > >Use single line : 180.143.202.229 - - [25/Jun/2014 08:30:37] "GET > >/t... > > > > > >Results > >======= > > > >Failregex: 1 total > >|- #) [# of hits] regular expression > >| 1) [1] ^<HOST> - - \[.*\] .*"GET .*\.php.*" 404 .*$ > >`- > > > >Ignoreregex: 0 total > > > >Date template hits: > >|- [# of hits] date format > >| [1] Day/MONTH/Year Hour:Minute:Second > >`- > > > >Lines: 1 lines, 0 ignored, 1 matched, 0 missed > >-------- > > > >As jail I edit /etc/fail2ban/jail.local > >------- > >[webrick] > > > >enabled = true > >port = 4567 > >filter = webrick > >logpath = /home/thomas/pid/webserver.output > >maxretry = 6 > >action = iptables[name=webrick, port=4567, protocol=tcp] > >------- > > > >After restart I get in /var/log/fail2ban.log > >------- > >2014-06-26 08:03:14,928 fail2ban.jail [5337]: INFO Creating new > >jail > >'webrick' > >2014-06-26 08:03:14,929 fail2ban.jail [5337]: INFO Jail 'webrick' > >uses > >poller > >2014-06-26 08:03:14,930 fail2ban.jail [5337]: INFO Initiated > >'polling' > >backend > >2014-06-26 08:03:14,931 fail2ban.filter [5337]: INFO Added logfile = > >/home/thomas/pid/webserver.output > >2014-06-26 08:03:14,932 fail2ban.filter [5337]: INFO Set maxRetry = > >6 > >2014-06-26 08:03:14,935 fail2ban.filter [5337]: INFO Set findtime = > >600 > >2014-06-26 08:03:14,936 fail2ban.actions[5337]: INFO Set banTime = > >900 > >2014-06-26 08:03:14,976 fail2ban.jail [5337]: INFO Jail 'webrick' > >started > >------- > > > >Now I capture that the log has no ban of this line: > > > >180.143.202.229 - - [26/Jun/2014 08:06:50] "GET /test6.php HTTP/1.1" > >404 26 > >0.0015 > > > >When I run: > >"fail2ban-client status": > >Status > >|- Number of jail: 2 > >`- Jail list: webrick, ssh > > > >"fail2ban-client status webrick" > >Status for the jail: webrick > >|- filter > >| |- File list: /home/thomas/pid/webserver.output > >| |- Currently failed: 3 > >| `- Total failed: 4 > >`- action > > |- Currently banned: 0 > > | `- IP list: > > `- Total banned: 0 > > > >What I do wrong? > > > >Thank you > >Thomas > > > Thomas, > > It looks like from the status you've only had 4 failures with 3 current > opens. You configuration is set to require 6 (maxretry) failures within 10 > minutes (findtime) before a ban will take place. > -- > Steven Hiscocks > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > -- www.aloedb.org - database for aloes |
