I don't think the filter will work with your timestamp as it is not
expecting the epoch time after the hh:mm:ss time. You could try
changingfailregex = ^%(__prefix_line)s(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$to failregex = ^%(__prefix_line)s(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} \d* )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$Even then I am not sure about the ^%(__prefix_line)s(?: bit without looking at that part of the regex. Nick On 29/12/2015 18:14, Bill Shirley
wrote:
Have you run?: fail2ban-regex /var/log/mysql.warn /etc/fail2ban/filter.d/mysqld-auth.confBill On 12/29/2015 10:38 AM, Michiel Hazelhof wrote:Hi All, I am running the current default mysqld-auth filter (https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/mysqld-auth.conf), and for some reason it is banning ip adresses that do not occur in the log file and fails to ban ip's that do occur. Jail.conf: [mysqld-iptables] enabled = true banaction = iptables-allports port = 1:65535 filter = mysqld-auth logpath = /var/log/mysql.warn bantime = 604800 findtime = 86400 maxretry = 5 mysql.warn (not banned, 148 attempts): 2015-12-29 9:58:48 140359785273088 [Warning] Access denied for user 'root'@'216.99.157.170' (using password: YES) fail2ban.log (banned, but does not occur in mysql.warn): 2015-12-29 16:32:31,127 fail2ban.actions [8772]: NOTICE [mysqld-iptables] Ban 155.94.224.210 Could anybody help me figure out what is going wrong?------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
