-------- Original Message --------
*Subject: * [Fail2ban-users] fail2ban not banning "matched" IPs from vsftp log
*From: * Schwarztees Via Fail2ban-users
<fail2ban-users@lists.sourceforge.net>
*To: * Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*CC: *
*Date: * 2022-3-9 07:05 AM
<https://serverfault.com/posts/1095745/timeline>
Using fail2ban to secure the vsftp login:
jail.local
|[vsftpd] enabled = true bantime = 600 findtime = 5000 maxretry = 1 port = ftp,ftp-data action = iptables-multiport
logpath = /var/log/vsftpd/vsftpd.log |
Regex is matching, as you can see here:
fail2ban-regex /var/log/vsftpd/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf
--print-all-matched
|Running tests ============= Use failregex filter file : vsftpd, basedir: /etc/fail2ban Use datepattern
: {^LN-BEG} : Default Detectors Use log file : /var/log/vsftpd/vsftpd.log Use encoding : UTF-8 Results
======= Failregex: 23 total |- #) [# of hits] regular expression | 2) [23] ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client
"<HOST>"(?:\s*$|,) `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [385] {^LN-BEG}(?:DAY
)?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `- Lines: 385 lines, 0 ignored, 23 matched, 362 missed
[processed in 0.03 sec] |- Matched line(s): | Wed Mar 9 08:36:06 2022 [pid 2619415] [bla] FAIL LOGIN: Client "some_IP"
| Wed Mar 9 08:36:13 2022 [pid 2619420] [bla] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:36:18 2022 [pid 2619422]
[blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:36:30 2022 [pid 2619425] [blaas] FAIL LOGIN: Client "some_IP" |
Wed Mar 9 08:36:37 2022 [pid 2619508] [blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:36:45 2022 [pid 2619511]
[blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:36:53 2022 [pid 2619514] [blaas] FAIL LOGIN: Client "some_IP" |
Wed Mar 9 08:47:39 2022 [pid 2620744] [blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:47:47 2022 [pid 2620746]
[blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:47:55 2022 [pid 2620748] [blaas] FAIL LOGIN: Client "some_IP" |
Wed Mar 9 08:48:03 2022 [pid 2620763] [blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:48:12 2022 [pid 2620767]
[blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:48:12 2022 [pid 2620766] [blaas] FAIL LOGIN: Client "some_IP" |
Wed Mar 9 08:55:07 2022 [pid 2621558] [blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:55:15 2022 [pid 2621560]
[blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:55:23 2022 [pid 2621562] [blaas] FAIL LOGIN: Client "some_IP" |
Wed Mar 9 08:55:23 2022 [pid 2621564] [blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 08:55:26 2022 [pid 2621566]
[blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 09:36:56 2022 [pid 2627379] [blaas] FAIL LOGIN: Client "some_IP" |
Wed Mar 9 09:37:48 2022 [pid 2627498] [blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 09:37:57 2022 [pid 2627500]
[blaas] FAIL LOGIN: Client "some_IP" | Wed Mar 9 09:37:57 2022 [pid 2627501] [blaas] FAIL LOGIN: Client "some_IP" |
Wed Mar 9 09:37:58 2022 [pid 2627504] [blaas] FAIL LOGIN: Client "some_IP" `- Missed line(s): too many to print. Use
--print-all-missed to print all 362 lines |
Checking with fail2ban cli / fail2ban-client status vsftpd
|Status for the jail: vsftpd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: `- Actions
|- Currently banned: 0 |- Total banned: 0 `- Banned IP list: |
Any idea what may cause this not banning the "matched" IPs / how to debug
further?
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Try maxretry = 0 and see what happens.
Wayne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
