Re: [Fail2ban-users] fail2ban doesn't ban

[Christophe Millon]

Hi,


It would seem that regex work, I looked the iptables and the logwatch, an IP 
has been banned.


It could be an issue with the scan of the log file for the previous days.


Fail2ban have some problem with that?


Thanks for your advice,


Christophe.

________________________________
De : Tony Collins <t...@evilplan.org.uk>
Envoyé : mardi 31 mai 2016 16:45:12
À : fail2ban-users@lists.sourceforge.net
Objet : Re: [Fail2ban-users] fail2ban doesn't ban

Hi Christophe - I might be missing something here, but I cannot see an 'action' 
defined for the SSH rule



Tony Collins

On 31 May 2016 at 14:57, Christophe Millon 
<christophe.mil...@etu.unice.fr<mailto:christophe.mil...@etu.unice.fr>> wrote:
sorry the configuration file is sshd.conf, and is match the right adresses, 
here is the test :

  [11] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Received
 disconnect from <HOST>: 11:  \[preauth\]\s*$

 [11] 68 match(es)

 Here is the jail configuration:

ignore ip = x.x.x.x
bantime  = 432000
maxretry = 3
findtime = 21600

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

And here is the fail2ban.log when I restart the service:

fail2ban.jail   : INFO   Jail 'ssh' stopped
2016-05-30 09:06:22,866 fail2ban.server : INFO   Exiting Fail2ban
2016-05-30 09:06:23,202 fail2ban.server : INFO   Changed logging target to 
/var/log/fail2ban.log for Fail2ban v0.8.6
2016-05-30 09:06:23,203 fail2ban.jail   : INFO   Creating new jail 'ssh'
2016-05-30 09:06:23,203 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2016-05-30 09:06:23,219 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log
2016-05-30 09:06:23,219 fail2ban.filter : INFO   Set maxRetry = 3
2016-05-30 09:06:23,220 fail2ban.filter : INFO   Set findtime = 21600
2016-05-30 09:06:23,221 fail2ban.actions: INFO   Set banTime = 432000
2016-05-30 09:06:23,254 fail2ban.jail   : INFO   Jail 'ssh' started

thanks,

Christophe
________________________________________
De : Tom Hendrikx <t...@whyscream.net<mailto:t...@whyscream.net>>
Envoyé : mardi 31 mai 2016 13:47:09
À : 
fail2ban-users@lists.sourceforge.net<mailto:fail2ban-users@lists.sourceforge.net>
Objet : Re: [Fail2ban-users] fail2ban doesn't ban

On 31-05-16 11:17, Christophe Millon wrote:
> I have this line in my configuration file
> /etc/fail2ban/filter.d/shd.conf : ^%(__prefix_line)sReceived disconnect
> from <HOST>: 11:  \[preauth\]\s*$

Is this filename 'shd.conf' correct? Does that match your jail config?
Can you you show us your jail.conf, and the logging that a restart of
fail2ban produces with the config?

Regards,
        Tom

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users