The test shows working! But in practice, it doesn't block! I always restart fail2ban with every change to the configuration files.
systemctl restart fail2ban ---- Ativado Seg, 17 fev 2020 17:29:48 -0300 Bill Shirley <[email protected]> escreveu ---- > Lines: 742 lines, 0 ignored, 73 matched, 669 missed 73 lines > matched. It is working. Don't forget to reload or restart fail2ban. > Bill > > On 2/17/2020 3:18 PM, Henrique Fagundes wrote: > Hello,Unfortunately it didn't work.This is the output of my > test command:[root@www /etc/fail2ban]# fail2ban-regex /var/log/messages > /etc/fail2ban/filter.d/drupal-auth.confRunning tests=============Use > failregex filter file : drupal-auth, basedir: /etc/fail2banUse log > file : /var/log/messagesUse encoding : UTF-8Results=======Failregex: > 73 total|- #) [# of hits] regular expression| 1) [73] > drupal([^|]*){3}\[<HOST>\].*Login attempt failed.* Atenciosamente, Henrique Fagundes Analista de Suporte Linux [email protected] Skype: magnata-br-rj Linux User: 475399 https://www.aprendendolinux.com https://www.facebook.com/AprendendoLinux https://youtube.com/AprendendoLinux https://twitter.com/AprendendoLinux https://t.me/AprendendoLinux https://t.me/GrupoAprendendoLinux ______________________________________________________________________ Participe do Grupo Aprendendo Linux https://listas.aprendendolinux.com/listinfo/aprendendolinux Ou envie um e-mail para: [email protected] ---- Ativado Seg, 17 fev 2020 17:29:48 -0300 Bill Shirley <[email protected]> escreveu ---- -Ignoreregex: 0 totalDate template hits:|- [# of hits] date format| [742] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?`-Lines: 742 lines, 0 ignored, 73 matched, 669 missed[processed in 0.18 sec]Missed line(s): too many to print. Use --print-all-missed to print all 669 lines ---- Ativado Seg, 17 fev 2020 16:35:54 -0300 Bill Shirley <[email protected]> escreveu ---- > Your failregex isn't even close to matching the log lines in /var/log/messages: > > failregex = Submitting address \[<HOST>\] to the firewallFeb 17 14:18:42 www drupal[3979]: https://www.clubenaval.org.br/novo|1581949122|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=frontpage&destination=frontpage|https://www.clubenaval.org.br/novo/index.php|0||Login attempt failed for chmviola. Try this for your filter: > [Definition] > #failregex = drupal.*|user|\[<HOST>\]|.*Login attempt failed.*$ > #failregex = drupal.*\[<HOST>\] > failregex = drupal([^|]*){3}\[<HOST>\].*Login attempt failed.*$ > #failregex = drupal.*\|user\|\[<HOST>\].*Login attempt failed.*$ > > ignoreregex = > The uncommented failregex works. > > My test files are in /root/tmp > Running command: fail2ban-regex /root/tmp/drupal.messages /root/tmp/drupal.filter.conf > > Running tests > ============= > > Use failregex file : /root/tmp/drupal.filter.conf > Use log file : /root/tmp/drupal.messages > Use encoding : UTF-8 > > > Results > ======= > > Failregex: 4 total > |- #) [# of hits] regular expression > | 1) [4] drupal([^|]*){3}\[<HOST>\].*Login attempt failed.*$ > `- > > Ignoreregex: 0 total > > Date template hits: > |- [# of hits] date format > | [5] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? > `- > > Lines: 5 lines, 0 ignored, 4 matched, 1 missed > [processed in 0.01 sec] > > |- Missed line(s): > | Feb 17 14:24:46 www drupal[3981]:https://www.clubenaval.org.br/novo|1581949486|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=area_socio_entrada&destination=node/365|https://www.clubenaval.org.br/novo/?q=area_socio_entrada|15||Session opened for chmviola > `- > > Your English is good. > Bill > > On 2/17/2020 11:53 AM, Henrique Fagundes wrote: > Dear Dudi,Excuse me!Here is the right file:https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-auth.conf.txt ---- Ativado Seg, 17 fev 2020 13:13:10 -0300 Dudi Goldenberg <[email protected]> escreveu ---- > Hi, > > What is the content of drupal-auth.conf? You pasted drupal-comment.conf. > > Regards, > > D. > > -----Original Message----- > From: Henrique Fagundes [mailto:[email protected]] > Sent: Monday, February 17, 2020 17:41 > To: Fail2ban Users <[email protected]> > Subject: [Fail2ban-users] Blocking Logins in Drupal 7 does not work! > > ​Dear Colleagues, > > Good afternoon! > > But once, I come to enlist the help of this group. Some will certainly remember me, with the PhpMyAdmin problem that I ended up solving with the update. > > Now, I have the same problem with Drupal (and I cannot update it). I can't get fail2ban to stop login attempts with error. > > What I find strange is that before migrating from server, it used version 0.9.6-2 of fail2ban in Debian 9.12 and it worked correctly. > > I migrated the server to a CentOS 8.1 running fail2ban in version 0.10.5-2. And after that, the lock does not work. > > I will share the configuration files with you: > > /etc/fail2ban/jail.conf: > https://temporario.aprendendolinux.com/fail2ban/jail.conf.txt > > /etc/fail2ban/filter.d/drupal-auth.conf: > https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-comment.conf.txt > > /var/log/messages: > https://temporario.aprendendolinux.com/messages.txt > > I understand that the correct thing would be for fail2ban to block IP 177.124.244.10 after the third login attempt, but it is not happening. > > can anybody help me? > > I apologize for the possible typos. I am Brazilian and I have difficulties with English. > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >_______________________________________________Fail2ban-users mailing [email protected]https://lists.sourceforge.net/lists/listinfo/fail2ban-users _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
