From: Charles B. <cha...@nt...> - 2014-08-10 09:27:53
|
What's in your syslog with the same/close time stamp? Are you running SELINUX? On Sat, 2014-08-09 at 10:59 +0200, reg...@un... wrote: > Dear Members > > We run fail2ban since a couple of time on or webservers, an it works > great with some of default implemented filters! > > Now i have addet a new > Filterdefinition("apache-wplogin-iptables.conf") in filter.d and > activated it in jail.conf. 1 > > > fail2ban.log says that the filter is successfully acivated: > ********* > ********* > 2014-08-09 09:36:02,851 fail2ban.jail : INFO Creating new jail 'apache-wplogin-iptables' > 2014-08-09 09:36:02,852 fail2ban.jail : INFO Jail 'apache-wplogin-iptables' uses Gamin > 2014-08-09 09:36:02,952 fail2ban.filter : INFO Added logfile = /home/user/myTestLogFile > 2014-08-09 09:36:03,053 fail2ban.filter : INFO Set maxRetry = 5 > 2014-08-09 09:36:04,160 fail2ban.filter : INFO Set findtime = 30 > 2014-08-09 09:36:04,261 fail2ban.actions: INFO Set banTime = 86400 > ********* > ********* > > > even iptables added the expected Chain: > ********* > ********* > Chain fail2ban-apache-wplogin (1 references) > num target prot opt source destination > 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 > ********* > ********* > > > > fail2ban is sending the start-email as expected: > ********* > ********* > Hi, > The jail apache-wplogin has been started successfully. > Regards, > Fail2Ban > ********* > ********* > > > > I have also check the failregex sucessfully with my testlogfile by > using fail2ban-regex : > fail2ban-regex /home/user/myTestLogFile /etc/fail2ban/filter.d/apache-wplogin-iptables.conf > ******** > ******** > Running tests > ============= > Use regex file : /etc/fail2ban/filter.d/apache-wplogin-iptables.conf > Use log file : /home/fja/access_log2 > > Results > ======= > Failregex > |- Regular expressions: > | [1] ^<HOST> .* "POST /wp-login > | > `- Number of matches: > [1] 12 match(es) > > Ignoreregex > |- Regular expressions: > | > `- Number of matches: > > > Summary > ======= > Addresses found: > [1] > 176.223.126.13 (Sat Aug 09 09:03:17 2014) > 176.223.126.13 (Sat Aug 09 09:03:18 2014) > 176.223.126.13 (Sat Aug 09 09:03:21 2014) > 176.223.126.13 (Sat Aug 09 09:03:22 2014) > 176.223.126.13 (Sat Aug 09 09:03:25 2014) > 176.223.126.13 (Sat Aug 09 09:03:26 2014) > 176.223.126.13 (Sat Aug 09 09:03:26 2014) > 176.223.126.13 (Sat Aug 09 09:03:27 2014) > 176.223.126.13 (Sat Aug 09 09:03:27 2014) > 176.223.126.13 (Sat Aug 09 09:03:28 2014) > 176.223.126.13 (Sat Aug 09 09:03:28 2014) > 176.223.126.13 (Sat Aug 09 09:03:28 2014) > > Date template hits: > 0 hit(s): MONTH Day Hour:Minute:Second > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > 0 hit(s): Year/Month/Day Hour:Minute:Second > 0 hit(s): Day/Month/Year Hour:Minute:Second > 24 hit(s): Day/MONTH/Year:Hour:Minute:Second > 0 hit(s): Month/Day/Year:Hour:Minute:Second > 0 hit(s): Year-Month-Day Hour:Minute:Second > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > 0 hit(s): Day-Month-Year Hour:Minute:Second > 0 hit(s): TAI64N > 0 hit(s): Epoch > 0 hit(s): ISO 8601 > 0 hit(s): Hour:Minute:Second > 0 hit(s): <Month/Day/Year@Hour:Minute:Second> > > Success, the total number of match is 12 > > However, look at the above section 'Running tests' which could contain important information. > ******** > ******** > > > > > > BUT it seems, that fail2ban does not react on found Iitems, because > * no ip's are added to iptables by filter > "apache-wplogin-iptables" > * no mails are sent by filter "apache-wplogin-iptables" > * no entry in Logfile tht something is banned from filter > "apache-wplogin-iptables" ( at least 176.223.126.13 should be > banned) > > > my jail.conf entry: > ********* > ********* > [apache-wplogin-iptables] > enabled = true > filter = apache-wplogin-iptables > action = iptables-multiport[name=apache-wplogin, port="http,https", protocol=tcp] > sendmail-whois[name=apache-wplogin, dest=myn...@my..., sender=fai...@my...] > port = http,https > logpath = /home/user/myTestLogFile > maxretry = 5 > findtime =30 > bantime = 86400 > ********* > ********* > > my filter.d/apache-wplogin-iptables.conf: > ********* > ********* > [Definition] > failregex = ^<HOST> .* "POST /wp-login > ignoreregex = > ********* > ********* > > In Debugmode (level 4) fail2ban detects events, but is not reacting > on it (see attached Logfile). > > Could you help me please, i dont understand this behavior? > > kind regards > > Florian > > > > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |