It is correct because I test failing phpmyadmin logins for example ... And it works! It blocks!
Atenciosamente, Henrique Fagundes Analista de Suporte Linux [email protected] Skype: magnata-br-rj Linux User: 475399 https://www.aprendendolinux.com https://www.facebook.com/AprendendoLinux https://youtube.com/AprendendoLinux https://twitter.com/AprendendoLinux https://t.me/AprendendoLinux https://t.me/GrupoAprendendoLinux ______________________________________________________________________ Participe do Grupo Aprendendo Linux https://listas.aprendendolinux.com/listinfo/aprendendolinux Ou envie um e-mail para: [email protected] ---- Ativado Seg, 17 fev 2020 17:53:34 -0300 Bill Shirley <[email protected]> escreveu ---- > According to your jail, you need 3 failures (maxretry) within 6 > hours (findtime) for it to ban. Can you trigger > failed logins yourself to test? I'm not sure your bantime = -1 is > correct. > > Bill > > On 2/17/2020 3:34 PM, Henrique Fagundes wrote: > The test shows working! But in practice, it doesn't block!I > always restart fail2ban with every change to the configuration > files.systemctl restart fail2ban ---- Ativado Seg, 17 fev 2020 17:29:48 > -0300 Bill Shirley <[email protected]> escreveu ---- > > Lines: 742 lines, 0 ignored, 73 matched, 669 missed 73 lines matched. It > is working. Don't forget to reload or restart fail2ban. > Bill > > > On 2/17/2020 3:18 PM, Henrique Fagundes wrote: > > Hello,Unfortunately it didn't work.This is the output of my test > command:[root@www /etc/fail2ban]# fail2ban-regex /var/log/messages > /etc/fail2ban/filter.d/drupal-auth.confRunning tests=============Use > failregex filter file : drupal-auth, basedir: /etc/fail2banUse log > file : /var/log/messagesUse encoding : UTF-8Results=======Failregex: > 73 total|- #) [# of hits] regular expression| 1) [73] > drupal([^|]*){3}\[<HOST>\].*Login attempt failed.*Atenciosamente, Henrique > Fagundes Analista de Suporte Linux [email protected] Skype: > magnata-br-rj Linux User: 475399 https://www.aprendendolinux.com > https://www.facebook.com/AprendendoLinux https://youtube.com/AprendendoLinux > https://twitter.com/AprendendoLinux https://t.me/AprendendoLinux > https://t.me/GrupoAprendendoLinux > ______________________________________________________________________ > Participe do Grupo Aprendendo Linux > https://listas.aprendendolinux.com/listinfo/aprendendolinux Ou envie um > e-mail para: [email protected] ---- > Ativado Seg, 17 fev 2020 17:29:48 -0300 Bill Shirley > <[email protected]> escreveu -----Ignoreregex: 0 totalDate > template hits:|- [# of hits] date format| [742] {^LN-BEG}(?:DAY )?MON Day > %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?`-Lines: 742 lines, 0 > ignored, 73 matched, 669 missed[processed in 0.18 sec]Missed line(s): too > many to print. Use --print-all-missed to print all 669 lines ---- Ativado > Seg, 17 fev 2020 16:35:54 -0300 Bill Shirley > <[email protected]> escreveu ---- > Your failregex > isn't even close to matching the log lines in /var/log/messages: > > > failregex = Submitting address \[<HOST>\] to the firewallFeb 17 > 14:18:42 www drupal[3979]: > https://www.clubenaval.org.br/novo|1581949122|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=frontpage&destination=frontpage|https://www.clubenaval.org.br/novo/index.php|0||Login > attempt failed for chmviola. Try this for your filter: > > [Definition] > #failregex = drupal.*|user|\[<HOST>\]|.*Login > attempt failed.*$ > #failregex = drupal.*\[<HOST>\] > > failregex = drupal([^|]*){3}\[<HOST>\].*Login attempt failed.*$ > > #failregex = drupal.*\|user\|\[<HOST>\].*Login attempt > failed.*$ > > ignoreregex = > The uncommented > failregex works. > > My test files are in /root/tmp > > Running command: fail2ban-regex /root/tmp/drupal.messages > /root/tmp/drupal.filter.conf > > Running tests > > ============= > > Use failregex file : > /root/tmp/drupal.filter.conf > Use log file : > /root/tmp/drupal.messages > Use encoding : UTF-8 > > > > Results > ======= > > > Failregex: 4 total > |- #) [# of hits] regular expression > > | 1) [4] drupal([^|]*){3}\[<HOST>\].*Login attempt failed.*$ > > `- > > Ignoreregex: 0 total > > Date > template hits: > |- [# of hits] date format > | [5] > {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: > ExYear)? > `- > > Lines: 5 lines, 0 ignored, 4 > matched, 1 missed > [processed in 0.01 sec] > > |- > Missed line(s): > | Feb 17 14:24:46 www > drupal[3981]:https://www.clubenaval.org.br/novo|1581949486|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=area_socio_entrada&destination=node/365|https://www.clubenaval.org.br/novo/?q=area_socio_entrada|15||Session > opened for chmviola > `- > > Your English > is good. > Bill > > On 2/17/2020 11:53 AM, Henrique > Fagundes wrote: > Dear Dudi,Excuse me!Here is the right > file:https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-auth.conf.txt > ---- Ativado Seg, 17 fev 2020 13:13:10 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > Hi, > > What is the content of > drupal-auth.conf? You pasted drupal-comment.conf. > > Regards, > > D. > > > -----Original Message----- > From: Henrique Fagundes > [mailto:[email protected]] > Sent: Monday, February 17, 2020 > 17:41 > To: Fail2ban Users <[email protected]> > Subject: > [Fail2ban-users] Blocking Logins in Drupal 7 does not work! > > ​Dear > Colleagues, > > Good afternoon! > > But once, I come to enlist the help of > this group. Some will certainly remember me, with the PhpMyAdmin problem > that I ended up solving with the update. > > Now, I have the same problem > with Drupal (and I cannot update it). I can't get fail2ban to stop login > attempts with error. > > What I find strange is that before migrating from > server, it used version 0.9.6-2 of fail2ban in Debian 9.12 and it worked > correctly. > > I migrated the server to a CentOS 8.1 running fail2ban in > version 0.10.5-2. And after that, the lock does not work. > > I will share > the configuration files with you: > > /etc/fail2ban/jail.conf: > > https://temporario.aprendendolinux.com/fail2ban/jail.conf.txt > > > /etc/fail2ban/filter.d/drupal-auth.conf: > > https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-comment.conf.txt > > > /var/log/messages: > > https://temporario.aprendendolinux.com/messages.txt > > I understand that > the correct thing would be for fail2ban to block IP 177.124.244.10 after the > third login attempt, but it is not happening. > > can anybody help me? > > > I apologize for the possible typos. I am Brazilian and I have difficulties > with English. > > > _______________________________________________ > > Fail2ban-users mailing list > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >_______________________________________________Fail2ban-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/fail2ban-users > _______________________________________________ > Fail2ban-users > mailing list > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
