Re: [Fail2ban-users] WARNING Unable to find a corresponding IP address - New Deploy Help

Mon, 29 Dec 2014 11:59:27 -0800 

I was able to correct my filter rule by using fail2ban-regex to test my
filter file. The needed filter for my log file was:

# patra-forum-hack.conf
[INCLUDES]
before = common.conf

[Definition]
_daemon = cmp
failregex = ^<HOST> .*GET.*/forum/0/index\.html.*
ignoreregex =


fail2ban-regex seems to be the super helpful tool I needed. Thanks for
making such a dynamic tool guys! Much appreciated!

./Ben


On Mon, Dec 29, 2014 at 1:46 PM, Benjamin Bernier <[email protected]
> wrote:

> Hi
>
> I am having issues with my filter rule (I believe)
>
> Currently, we are matching the error in the logs and the jail conf is ok
> seeming, but I get no blocks added to iptables. In the fail2ban log is see
> entries like this when the weblog rule is matched:
>
> 2014-12-29 13:43:18,967 fail2ban.filter : WARNING Unable to find a
> corresponding IP address for -
> 2014-12-29 13:43:36,005 fail2ban.filter : WARNING Unable to find a
> corresponding IP address for -
> 2014-12-29 13:44:01,041 fail2ban.filter : WARNING Unable to find a
> corresponding IP address for -
>
> The apache log for a matched request looks like:
>
> 140.237.3.53 - - [29/Dec/2014:13:12:50 -0500] "GET /forum/0/index.html
> HTTP/1.1" 200 35227
>
> The jails.conf rules for this are:
>
> [patra-forum-hack]
>
> enabled  = true
> filter   = patra-forum-hack
> action   = iptables[name=PatraForumHack, port=http, protocol=tcp]
> logpath  = /var/log/httpd/patracompany.com-access_log
> maxretry = 2
>
>
> and the filter.d rules are:
>
> # patra-forum-hack.conf
> [INCLUDES]
> before = common.conf
>
> [Definition]
> _daemon = cmp
> failregex = ^[a-zA-Z0-9\.]+ <HOST> .*GET.*/forum/0/index\.html.*
> ignoreregex =
>
>
>
>
> I'm pretty positive there is an issue with my failregex extracting the IP,
> but I'm hoping for some help or a ready doc that can aid in this.
>
> thank you!
> ./Ben
>

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to