Re: [arch-general] Archlinux fail2ban not working
Hi Maykel, > > > > failregex = ^\S+: Unknown User .* \(\)$ > > > > > > Thanks for your help but not working... > > > https://imgur.com/a/w0F2JSC > > > > That image shows > > > > Unknown User .* \(:.*\) > > > > but that's not what I suggested, e.g. you have a colon after the > > and as there is no colon in ‘(109.103.148.2)’ then the regexp is not > > going to match. > > what you suggested didn't work either > > https://imgur.com/a/sNN5dL0 You still aren't trying what I suggested. The regexp I'm suggesting is for fail2ban. It can't be put into regex101.com unaltered. Nor can the test input be the line to match against because fail2ban alters it before applying the regular expression. I suggest you test and develop the regexp you want using fail2ban, e.g. fail2ban-regex. -- Cheers, Ralph.
Re: [arch-general] Archlinux fail2ban not working
El sáb., 2 nov. 2019 a las 0:51, Ralph Corderoy () escribió: > > Hi Maykel, > > > > How about > > > > > > failregex = ^\S+: Unknown User .* \(\)$ > > > > Thanks for your help but not working... > > https://imgur.com/a/w0F2JSC > > That image shows > > Unknown User .* \(:.*\) > > but that's not what I suggested, e.g. you have a colon after the > and as there is no colon in ‘(109.103.148.2)’ then the regexp is not > going to match. > > -- > Cheers, Ralph. what you suggested didn't work either https://imgur.com/a/sNN5dL0
Re: [arch-general] Archlinux fail2ban not working
Hi Maykel, > > How about > > > > failregex = ^\S+: Unknown User .* \(\)$ > > Thanks for your help but not working... > https://imgur.com/a/w0F2JSC That image shows Unknown User .* \(:.*\) but that's not what I suggested, e.g. you have a colon after the and as there is no colon in ‘(109.103.148.2)’ then the regexp is not going to match. -- Cheers, Ralph.
Re: [arch-general] Archlinux fail2ban not working
El sáb., 2 nov. 2019 a las 0:13, Maykel Franco
() escribió:
>
> El vie., 1 nov. 2019 a las 19:20, Ralph Corderoy
> () escribió:
> >
> > Hi Maykel,
> >
> > I don't use fail2ban, but I've just skimmed
> > https://fail2ban.readthedocs.io/en/latest/filters.html#developing-filter-regular-expressions
> > You may find the ‘debuggex’ reference useful.
> >
> > > failregex = Unknown User .* \(:.*\)
> > ...
> > > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > ...
> > > Date template hits:
> > > |- [# of hits] date format
> > > | [6] {^LN-BEG}24hour:Minute:Second
> >
> > I take that to mean it was happy with the timestamp.
> >
> > > failregex = Unknown User .* \(:.*\)
> >
> > How about
> >
> > failregex = ^\S+: Unknown User .* \(\)$
> >
> > --
> > Cheers, Ralph.
>
> Thanks for your help but not working...
>
> https://imgur.com/a/w0F2JSC
It works with only:
failregex = Unknown User .* \(\)
Re: [arch-general] Archlinux fail2ban not working
El vie., 1 nov. 2019 a las 19:20, Ralph Corderoy
() escribió:
>
> Hi Maykel,
>
> I don't use fail2ban, but I've just skimmed
> https://fail2ban.readthedocs.io/en/latest/filters.html#developing-filter-regular-expressions
> You may find the ‘debuggex’ reference useful.
>
> > failregex = Unknown User .* \(:.*\)
> ...
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> ...
> > Date template hits:
> > |- [# of hits] date format
> > | [6] {^LN-BEG}24hour:Minute:Second
>
> I take that to mean it was happy with the timestamp.
>
> > failregex = Unknown User .* \(:.*\)
>
> How about
>
> failregex = ^\S+: Unknown User .* \(\)$
>
> --
> Cheers, Ralph.
Thanks for your help but not working...
https://imgur.com/a/w0F2JSC
Re: [arch-general] Archlinux fail2ban not working
Hi Maykel,
I don't use fail2ban, but I've just skimmed
https://fail2ban.readthedocs.io/en/latest/filters.html#developing-filter-regular-expressions
You may find the ‘debuggex’ reference useful.
> failregex = Unknown User .* \(:.*\)
...
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
...
> Date template hits:
> |- [# of hits] date format
> | [6] {^LN-BEG}24hour:Minute:Second
I take that to mean it was happy with the timestamp.
> failregex = Unknown User .* \(:.*\)
How about
failregex = ^\S+: Unknown User .* \(\)$
--
Cheers, Ralph.
Re: [arch-general] Archlinux fail2ban not working
El vie., 1 nov. 2019 17:32, Justin Capella via arch-general <
arch-general@archlinux.org> escribió:
> Your regex doesn't look like it would match. If is substituted for
> your hostname that part of the regex would need to be before the unknown
> user part
>
> On Fri, Nov 1, 2019, 2:51 AM Maykel Franco via arch-general <
> arch-general@archlinux.org> wrote:
>
> > Hi, I have this rule:
> >
> > jail.conf:
> >
> > [app-user]
> > enabled = true
> > port = 443
> > filter = user-app
> > logpath = /var/log/user-app.log
> > findtime = 1200
> > bantime = 480
> > maxretry = 3
> >
> > ---
> >
> > filter.d:
> >
> > user-app.conf
> >
> >
> > [Definition]
> >
> > failregex = Unknown User .* \(:.*\)
> >
> > ignoreregex =
> >
> > ---
> >
> > The content is logfile test /var/log/user-app.log:
> >
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> >
> > ---
> >
> > And when test it, not working:
> >
> > fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf
> >
> > Running tests
> > =
> >
> > Use failregex filter file : user-app, basedir: /etc/fail2ban
> > Use log file : user-app.conf
> > Use encoding : UTF-8
> >
> >
> > Results
> > ===
> >
> > Failregex: 0 total
> >
> > Ignoreregex: 0 total
> >
> > Date template hits:
> > |- [# of hits] date format
> > | [6] {^LN-BEG}24hour:Minute:Second
> > `-
> >
> > Lines: 6 lines, 0 ignored, 0 matched, 6 missed
> > [processed in 0.02 sec]
> >
> > |- Missed line(s):
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> >
> > Whats wrong? Maybe the left timestamp?
> >
> > Thanks in advanced.
> >
>
The HOST is ip public my client, no hostname. I don't understand.
>
Re: [arch-general] Archlinux fail2ban not working
Your regex doesn't look like it would match. If is substituted for
your hostname that part of the regex would need to be before the unknown
user part
On Fri, Nov 1, 2019, 2:51 AM Maykel Franco via arch-general <
arch-general@archlinux.org> wrote:
> Hi, I have this rule:
>
> jail.conf:
>
> [app-user]
> enabled = true
> port = 443
> filter = user-app
> logpath = /var/log/user-app.log
> findtime = 1200
> bantime = 480
> maxretry = 3
>
> ---
>
> filter.d:
>
> user-app.conf
>
>
> [Definition]
>
> failregex = Unknown User .* \(:.*\)
>
> ignoreregex =
>
> ---
>
> The content is logfile test /var/log/user-app.log:
>
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
>
> ---
>
> And when test it, not working:
>
> fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf
>
> Running tests
> =
>
> Use failregex filter file : user-app, basedir: /etc/fail2ban
> Use log file : user-app.conf
> Use encoding : UTF-8
>
>
> Results
> ===
>
> Failregex: 0 total
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [6] {^LN-BEG}24hour:Minute:Second
> `-
>
> Lines: 6 lines, 0 ignored, 0 matched, 6 missed
> [processed in 0.02 sec]
>
> |- Missed line(s):
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
>
> Whats wrong? Maybe the left timestamp?
>
> Thanks in advanced.
>
