Re: [Fail2ban-users] event from own Filter detected but ip not not blocked?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

What's in your syslog with the same/close time stamp?

Are you running SELINUX?

On Sat, 2014-08-09 at 10:59 +0200, reg...@un... wrote:
> Dear Members
> 
> We run fail2ban since a couple of time on or webservers, an it works
> great with some of default implemented filters!
> 
> Now i have addet a new
> Filterdefinition("apache-wplogin-iptables.conf") in filter.d and
> activated it in jail.conf. 1
> 
> 
> fail2ban.log says that the filter is successfully acivated:
> *********
> *********
> 2014-08-09 09:36:02,851 fail2ban.jail   : INFO   Creating new jail 'apache-wplogin-iptables'
> 2014-08-09 09:36:02,852 fail2ban.jail   : INFO   Jail 'apache-wplogin-iptables' uses Gamin
> 2014-08-09 09:36:02,952 fail2ban.filter : INFO   Added logfile = /home/user/myTestLogFile
> 2014-08-09 09:36:03,053 fail2ban.filter : INFO   Set maxRetry = 5
> 2014-08-09 09:36:04,160 fail2ban.filter : INFO   Set findtime = 30
> 2014-08-09 09:36:04,261 fail2ban.actions: INFO   Set banTime = 86400
> *********
> *********
> 
> 
> even iptables added the expected Chain:
> *********
> *********
> Chain fail2ban-apache-wplogin (1 references)
> num  target     prot opt source               destination
> 1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
> *********
> *********
> 
>  
> 
> fail2ban is sending the start-email as expected:
> *********
> *********
> Hi,
> The jail apache-wplogin has been started successfully.
> Regards,
> Fail2Ban
> *********
> *********
> 
> 
> 
> I have also check the failregex sucessfully with my testlogfile by
> using fail2ban-regex :
> fail2ban-regex /home/user/myTestLogFile /etc/fail2ban/filter.d/apache-wplogin-iptables.conf
> ********
> ********
> Running tests
> =============
> Use regex file : /etc/fail2ban/filter.d/apache-wplogin-iptables.conf
> Use log file   : /home/fja/access_log2
> 
> Results
> =======
> Failregex
> |- Regular expressions:
> |  [1] ^<HOST> .* "POST /wp-login
> |
> `- Number of matches:
>    [1] 12 match(es)
> 
> Ignoreregex
> |- Regular expressions:
> |
> `- Number of matches:
> 
> 
> Summary
> =======
> Addresses found:
> [1]
>     176.223.126.13 (Sat Aug 09 09:03:17 2014)
>     176.223.126.13 (Sat Aug 09 09:03:18 2014)
>     176.223.126.13 (Sat Aug 09 09:03:21 2014)
>     176.223.126.13 (Sat Aug 09 09:03:22 2014)
>     176.223.126.13 (Sat Aug 09 09:03:25 2014)
>     176.223.126.13 (Sat Aug 09 09:03:26 2014)
>     176.223.126.13 (Sat Aug 09 09:03:26 2014)
>     176.223.126.13 (Sat Aug 09 09:03:27 2014)
>     176.223.126.13 (Sat Aug 09 09:03:27 2014)
>     176.223.126.13 (Sat Aug 09 09:03:28 2014)
>     176.223.126.13 (Sat Aug 09 09:03:28 2014)
>     176.223.126.13 (Sat Aug 09 09:03:28 2014)
> 
> Date template hits:
> 0 hit(s): MONTH Day Hour:Minute:Second
> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
> 0 hit(s): Year/Month/Day Hour:Minute:Second
> 0 hit(s): Day/Month/Year Hour:Minute:Second
> 24 hit(s): Day/MONTH/Year:Hour:Minute:Second
> 0 hit(s): Month/Day/Year:Hour:Minute:Second
> 0 hit(s): Year-Month-Day Hour:Minute:Second
> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
> 0 hit(s): Day-Month-Year Hour:Minute:Second
> 0 hit(s): TAI64N
> 0 hit(s): Epoch
> 0 hit(s): ISO 8601
> 0 hit(s): Hour:Minute:Second
> 0 hit(s): <Month/Day/Year@Hour:Minute:Second>
> 
> Success, the total number of match is 12
> 
> However, look at the above section 'Running tests' which could contain important information.
> ********
> ********
> 
> 
> 
> 
> 
> BUT it seems, that fail2ban does not react on found Iitems, because
>       * no ip's are added to iptables by filter
>         "apache-wplogin-iptables"
>       * no mails are sent by filter "apache-wplogin-iptables"
>       * no entry in Logfile tht something is banned from filter
>         "apache-wplogin-iptables" ( at least 176.223.126.13 should be
>         banned)
> 
> 
> my jail.conf entry:
> *********
> *********
> [apache-wplogin-iptables]
> enabled = true
> filter  = apache-wplogin-iptables
> action  = iptables-multiport[name=apache-wplogin, port="http,https", protocol=tcp]
>           sendmail-whois[name=apache-wplogin, dest=myn...@my..., sender=fai...@my...]
> port    = http,https
> logpath = /home/user/myTestLogFile
> maxretry = 5
> findtime =30
> bantime = 86400
> *********
> *********
> 
> my filter.d/apache-wplogin-iptables.conf:
> *********
> *********
> [Definition]
> failregex = ^<HOST> .* "POST /wp-login
> ignoreregex =
> *********
> *********
> 
> In Debugmode (level 4)  fail2ban detects events, but is not reacting
> on it (see attached Logfile).
> 
> Could you help me please, i dont understand this behavior?
> 
> kind regards
> 
> Florian
> 
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users