Hi SteveFirst thanks for your reply and sorry it has taken me so long to get
back to you but there are reasons for that which I wil1 explain below.The first
thing is that after I read your response I did quite a bit of further
investigation.In my version of fail2ban the jail that I was referring to was
named [apache] and in your response you referred to apache-auth. When I
ranfail2ban-client statusapache was one of the jails that were in the list but
that got me thinking, was the apache jail in iptables to find this out I
raniptables --listwhich displays all the current chains in iptables. There was
no corresponding chain in iptables for the apache jail, which got me thinking
maybe apache was a reserved word in iptables and as iptables is what actually
does the blocking of the offending ip address if there is no chain to do the
blocking there is no actual blocking.So I changes the name of the jail to
[apache-auth] and restarted fail2ban which on my system automatically restarts
ipt
ables, and both the jail and chain were created for apache-auth. However since
then there have been none of the offending entries in my error log to see if
that fixed the problem. I guess that it is a waiting game for now.
-------- Forwarded Message -------- Subject: Re: [Fail2ban-users]
apache-auth not banning Date: Sat, 12 Sep 2015 19:33:28 +0100 From: Steve
Rowe <[email protected]> To: [email protected] Hi
Alan, have you confirmed that the apache-auth is running? fail2ban-client
status this should list all the bans in place. also take a look at the
/var/log/fail2ban.log and see if its reporting anything unusual. I often keep
the log tailing so i can see what's happening real time. tailf
/var/log/fail2ban.log you should see log entries like 2015-09-12
13:58:43,545 fail2ban.actions [30854]: NOTICE [sasl-iptables] Ban
196.46.124.16 2015-09-12 14:02:15,463 fail2ban.filter [30854]: INFO
[sasl-iptables] Found 80.97.51.238 2015-09-12 14:02:16,404 fail2ban.actions
[30854]: NOTICE [sasl-iptables] Ban 80.97.51.238 2015-09-12 14:27:07,143
fail2ban.filter [30854]: INFO [sasl-iptables] Found 180.250.214.34
2015-09-12 14:2
7:07,316 fail2ban.actions [30854]: NOTICE [sasl-iptables] Ban
180.250.214.34 2015-09-12 14:31:21,462 fail2ban.filter [30854]: INFO
[sasl-iptables] Found 199.58.185.178 2015-09-12 14:31:21,931 fail2ban.actions
[30854]: NOTICE [sasl-iptables] Ban 199.58.185.178 2015-09-12
14:32:46,606 fail2ban.filter [30854]: INFO [sasl-iptables] Found
85.17.254.209 2015-09-12 14:32:47,135 fail2ban.actions [30854]: NOTICE
[sasl-iptables] Ban 85.17.254.209 Obviously these are for sasl-iptables, and i
am not as lenient as you with the 4 bans, i ban after 2nd. ;) but you get the
idea. To be honest, i am naff with regex so cannot confirm that part of the
mail. but the above is where i would start. Sorry if this is stating the
obvious. ;) Steve On 12/09/2015 18:28, AllanIT wrote: Hi All I have
fail2ban 0.8.14 installed on Ubuntu 14.04.2. When I run fail2ban-regex for my
error.log and apache-auth.conf it reports there is 1 hit for the 1 regular
expressio
n. The jail is set to find 4 occurrences in 6 hours. In the log there are 10
occurrences in 2 minutes but the apache jail did not ban the IP Address. Does
any one have any idea why the apache jail is not banning. Jail [apache] # I set
to true to see enabled = true port = http,https filter = apache-auth #logpath =
/var/log/apache*/*error.log # set by allan.cheesman logpath =
/var/log/virtualmin/*_error_log # Search past 6 hour findtime = 21600 # Ban for
2 hours bantime = 7200 maxretry = 4 apache-auth.conf # Fail2Ban apache-auth
filter # [INCLUDES] # Read common prefixes. If any customizations available --
read them from # apache-common.local before = apache-common.conf [Definition]
failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by
server configuration: (uri )?\S*\s*$ ^%(_apache_error_client)s (AH01617: )?user
.* authentication failure for "\S*": Password Mismatch$
^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
^%(_apache_error_client)s (A
H01614: )?client used wrong authentication scheme: \S*\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S*
failed, reason: .*$ ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user
.*: password mismatch: \S*\s*$ ^%(_apache_error_client)s (AH0179[01]: |Digest:
)user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for
"\S*":\s*$ ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .*
received - length is not \S+\s*$ ^%(_apache_error_client)s (AH01788: )?(Digest:
)?realm mismatch - got `.*' but expected `.+'\s*$ ^%(_apache_error_client)s
(AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received -
user attempted time travel\s*$ ignoreregex = # DEV Notes: # # This filter
matches the authorization failures of Apache. I
t takes the log messages # from the modules in aaa that return
HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or # HTTP_FORBIDDEN and not
AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR. # # An unauthorized response
401 is the first step for a browser to instigate authentication # however
apache doesn't log this as an error. Only subsequent errors are logged in the #
error log. # # Source: # # By searching the code in
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/* # for
ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should
get # all of these expressions. Lots of submodules like mod_authz_* return back
to mod_authz_core # to return the actual failure. # # See also:
http://wiki.apache.org/httpd/ListOfErrors # Expressions that don't have tests
and aren't common. # more be added with
https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 #
^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds
old - max lifetime [\d.]+\) - sen
ding new nonce\s*$ # ^%(_apache_error_client)s (AH01779: )?user .*:
one-time-nonce mismatch - sending new nonce\s*$ # ^%(_apache_error_client)s
(AH02486: )?realm mismatch - got `.*' but no realm specified\s*$ # # Author:
Cyril Jaquier # Major edits by Daniel Black error Log file [Sat Sep 12
20:53:46.185904 2015] [authz_core:error] [pid 23733] [client
31.184.238.11:53302] AH01630: client denied by server configuration:
/home/mysite/public_html/tag, referer: http://redi.it/treatments/ [Sat Sep 12
20:53:55.811631 2015] [authz_core:error] [pid 2168] [client
31.184.238.11:57409] AH01630: client denied by server configuration:
/home/mysite/public_html/, referer: http://redi.it/treatments/ [Sat Sep 12
20:53:56.701916 2015] [authz_core:error] [pid 15746] [client
31.184.238.11:57775] AH01630: client denied by server configuration:
/home/mysite/public_html/tag, referer: http://redi.it/treatments/ [Sat Sep 12
20:54:00.586114 2015] [authz_core:error] [pid 2166] [client
31.184.238.11:58081] AH01
630: client denied by server configuration: /home/mysite/public_html/,
referer: http://redi.it/treatments/ [Sat Sep 12 20:54:02.767320 2015]
[authz_core:error] [pid 19042] [client 31.184.238.11:59928] AH01630: client
denied by server configuration: /home/mysite/public_html/tag, referer:
http://redi.it/treatments/ [Sat Sep 12 20:54:03.612824 2015] [authz_core:error]
[pid 24603] [client 31.184.238.11:60229] AH01630: client denied by server
configuration: /home/mysite/public_html/, referer: http://redi.it/treatments/
[Sat Sep 12 20:54:13.511761 2015] [authz_core:error] [pid 10743] [client
31.184.238.11:60580] AH01630: client denied by server configuration:
/home/mysite/public_html/tag, referer: http://redi.it/treatments/ [Sat Sep 12
20:54:18.354814 2015] [authz_core:error] [pid 15747] [client
31.184.238.11:49771] AH01630: client denied by server configuration:
/home/mysite/public_html/, referer: http://redi.it/treatments/ [Sat Sep 12
20:54:19.207194 2015] [authz_core:error] [pid 2168]
[client 31.184.238.11:50171] AH01630: client denied by server configuration:
/home/mysite/public_html/tag, referer: http://redi.it/treatments/ [Sat Sep 12
20:54:21.284167 2015] [authz_core:error] [pid 22691] [client
31.184.238.11:50488] AH01630: client denied by server configuration:
/home/mysite/public_html/, referer: http://redi.it/treatments/
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
