Hello,
Unfortunately it didn't work.
This is the output of my test command:
[root@www /etc/fail2ban]# fail2ban-regex /var/log/messages
/etc/fail2ban/filter.d/drupal-auth.conf
Running tests
=============
Use failregex filter file : drupal-auth, basedir: /etc/fail2ban
Use log file : /var/log/messages
Use encoding : UTF-8
Results
=======
Failregex: 73 total
|- #) [# of hits] regular expression
| 1) [73] drupal([^|]*){3}\[<HOST>\].*Login attempt failed.*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [742] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?:
ExYear)?
`-
Lines: 742 lines, 0 ignored, 73 matched, 669 missed
[processed in 0.18 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 669
lines
---- Ativado Seg, 17 fev 2020 16:35:54 -0300 Bill Shirley
<[email protected]> escreveu ----
> Your failregex isn't even close to matching the log lines in
> /var/log/messages:
>
> failregex = Submitting address \[<HOST>\] to the firewallFeb 17 14:18:42
> www drupal[3979]:
> https://www.clubenaval.org.br/novo|1581949122|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=frontpage&destination=frontpage|https://www.clubenaval.org.br/novo/index.php|0||Login
> attempt failed for chmviola. Try this for your filter:
> [Definition]
> #failregex = drupal.*|user|\[<HOST>\]|.*Login attempt
> failed.*$
> #failregex = drupal.*\[<HOST>\]
> failregex = drupal([^|]*){3}\[<HOST>\].*Login attempt
> failed.*$
> #failregex = drupal.*\|user\|\[<HOST>\].*Login attempt
> failed.*$
>
> ignoreregex =
> The uncommented failregex works.
>
> My test files are in /root/tmp
> Running command: fail2ban-regex /root/tmp/drupal.messages
> /root/tmp/drupal.filter.conf
>
> Running tests
> =============
>
> Use failregex file : /root/tmp/drupal.filter.conf
> Use log file : /root/tmp/drupal.messages
> Use encoding : UTF-8
>
>
> Results
> =======
>
> Failregex: 4 total
> |- #) [# of hits] regular expression
> | 1) [4] drupal([^|]*){3}\[<HOST>\].*Login attempt
> failed.*$
> `-
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [5] {^LN-BEG}(?:DAY )?MON Day
> %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
> `-
>
> Lines: 5 lines, 0 ignored, 4 matched, 1 missed
> [processed in 0.01 sec]
>
> |- Missed line(s):
> | Feb 17 14:24:46 www
> drupal[3981]:https://www.clubenaval.org.br/novo|1581949486|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=area_socio_entrada&destination=node/365|https://www.clubenaval.org.br/novo/?q=area_socio_entrada|15||Session
> opened for chmviola
> `-
>
> Your English is good.
> Bill
>
> On 2/17/2020 11:53 AM, Henrique Fagundes wrote:
> Dear Dudi,Excuse me!Here is the right
> file:https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-auth.conf.txt
> ---- Ativado Seg, 17 fev 2020 13:13:10 -0300 Dudi Goldenberg
> <[email protected]> escreveu ---- > Hi, > > What is the content of
> drupal-auth.conf? You pasted drupal-comment.conf. > > Regards, > > D. > >
> -----Original Message----- > From: Henrique Fagundes
> [mailto:[email protected]] > Sent: Monday, February 17, 2020
> 17:41 > To: Fail2ban Users <[email protected]> > Subject:
> [Fail2ban-users] Blocking Logins in Drupal 7 does not work! > > ​Dear
> Colleagues, > > Good afternoon! > > But once, I come to enlist the help of
> this group. Some will certainly remember me, with the PhpMyAdmin problem
> that I ended up solving with the update. > > Now, I have the same problem
> with Drupal (and I cannot update it). I can't get fail2ban to stop login
> attempts with error. > > What I find strange is that before migrating from
> server, it used version 0.9.6-2 of fail2ban in Debian 9.12 and it worked
> correctly. > > I migrated the server to a CentOS 8.1 running fail2ban in
> version 0.10.5-2. And after that, the lock does not work. > > I will share
> the configuration files with you: > > /etc/fail2ban/jail.conf: >
> https://temporario.aprendendolinux.com/fail2ban/jail.conf.txt > >
> /etc/fail2ban/filter.d/drupal-auth.conf: >
> https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-comment.conf.txt
> > > /var/log/messages: >
> https://temporario.aprendendolinux.com/messages.txt > > I understand that
> the correct thing would be for fail2ban to block IP 177.124.244.10 after the
> third login attempt, but it is not happening. > > can anybody help me? > >
> I apologize for the possible typos. I am Brazilian and I have difficulties
> with English. > > > _______________________________________________ >
> Fail2ban-users mailing list > [email protected] >
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >_______________________________________________Fail2ban-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
