Re: [Fail2ban-users] Problem with sshd-ddos filter

On 25 January 2017 at 11:05, Patrick PICHON wrote: > > Hello, > > I'm having problem to get sshd-ddos triggering action. From the > configuration and from the log it looks like things are working, but > there is no trigger of action ! > > Do I miss something ? > > Thanks in

Re: [Fail2ban-users] Problem with sshd-ddos filter

363 fail2ban.filtersystemd [30982]: DEBUG Read > systemd journal entry: '2017-01-25T13:00:07.992217pitchoun.pipiche.net > sshd[31035]: Did not receive identification string from 15.203.163.254 port > 58144' > > > > On 2017-01-25 12:51, Dominic Raferd wrote: >> >> >>

Re: [Fail2ban-users] Two jails using one filter

ick > > On 2016-12-16 11:01, Dominic Raferd wrote: >> In a filter's failregex, can we have a variable equal to or containing >> the name of the jail using it? So that two jails can use the same >> filter and the failregex will match different messages depending on >&

Re: [Fail2ban-users] jail.d/asterisk.conf

On 11 January 2017 at 13:14, Thufir Hawat wrote: > I put an asterisk.conf as: > > root@fqdn_short:/etc/fail2ban/jail.d# > root@fqdn_short:/etc/fail2ban/jail.d# cat asterisk.conf > > [asterisk-iptables] > # if more than 4 attempts are made within 6 hours, ban for 24 hours >

Re: [Fail2ban-users] failed to start with result 'exit-code'.

On 11 January 2017 at 11:38, Thufir Hawat wrote: > I'm on Ubuntu 16.04 running on AWS EC2 and thought that fail2ban was > running, but: > > > > root@fqdn.subdomain:/var/log# > root@fqdn.subdomain:/var/log# > root@fqdn.subdomain:/var/log# systemctl status fail2ban.service >

[Fail2ban-users] Two jails using one filter

In a filter's failregex, can we have a variable equal to or containing the name of the jail using it? So that two jails can use the same filter and the failregex will match different messages depending on the jail? Use case: I'm using fail2ban v0.9.3. I have created two jails 'relay-long' and

Re: [Fail2ban-users] fail2ban not reading all variable in jail.local - bug or feature?

On 22 March 2017 at 13:15, Igor <fail2ban-l...@komkon.org> wrote: > > > On Wed, 22 Mar 2017, Dominic Raferd wrote: > > >> >> On 21 March 2017 at 14:36, Igor <fail2ban-l...@komkon.org> wrote: >> >> >> Sorry for the "bu

Re: [Fail2ban-users] Did not receive identification string . . .

On 21 March 2017 at 15:41, Bryan K. Walton wrote: > I'm looking at this closed bug report (from December of 2015): > > https://github.com/fail2ban/fail2ban/issues/1284 > > Is it still correct to say that fail2ban will not block an IP if the SSH > logs record a string like:

Re: [Fail2ban-users] fail2ban not reading all variable in jail.local - bug or feature?

On 21 March 2017 at 14:36, Igor wrote: > > > Sorry for the "bump", but I am still hoping that someone from the core > developers team would be able to respond. > > On Fri, 10 Mar 2017, Igor wrote: > > > > > > > I was testing a recent patch by Cristoph (#1689): > >

Re: [Fail2ban-users] Firewalld/ipset ban repeated offenders

On 3 April 2017 at 16:57, Dave Macias wrote: > Im trying to figure out how to set this up. > I've googled a bit and all i've seen articles using `iptables` which we > dont use. I've also seen that you can use the recidive filter for this but > this too uses iptables :( > ​Are

Re: [Fail2ban-users] Firewalld/ipset ban repeated offenders

On 3 April 2017 at 18:53, Dave Macias wrote: > Thank you for replying! > > Yes, the system can use iptables > ​..​ > . But to answer the question more clearly we have firewalld which to my > understanding manages iptables. With the current fail2ban setup we use the > actionban

Re: [Fail2ban-users] fail2ban at debian jessie with systemd

Did you try with backend=auto? I use fail2ban with Ubuntu 16.04 (based on stretch/sid) which also uses systemd but I never tried backend=systemd. On 12 April 2017 at 08:42, Bruno Queiros wrote: > I'm not sure, but i think i have Fail2ban with SystemD on my home server. > I

Re: [Fail2ban-users] Banning by Domain

On 7 July 2017 at 04:37, Hans Brost wrote: > Hi. Kind of new to all this, but I do know how to program. Not good at > regex thoughlol > > Could one have banning rules and a jail based on a separate domain? > ​I'm not sure quite what you mean, please explain

Re: [Fail2ban-users] Failed to stop jail 'jail' action 'iptables-multiport': Error stopping action

On 25 April 2017 at 03:27, Robert Kudyba wrote: > Any idea why these happen on restarts? This thread mentions names the > jails to check: https://github.com/fail2ban/fail2ban/issues/1092 > > > fail2ban-0.9.6-4.fc25.noarch > > cat /etc/fail2ban/jail.local > > [DEFAULT] > >

Re: [Fail2ban-users] Ubuntu 16.04 package problems

On 7 August 2017 at 20:33, Michael Fox wrote: > I've been a user of fail2ban for several years. I'm not an expert. But > I'm > not a newbie either. Everything has been running fine on Ubuntu 14.04. > > I'm building a new Ubuntu 16.04 machine. I installed the fail2ban package

Re: [Fail2ban-users] Interpreting output of jail status

On 28 April 2017 at 21:42, Danila Vershinin wrote: > Hi, > > I have created a jail and trying to understand how it performs. > I am puzzled at this output below. Particularly I want to know what “Total > failed” stands for. > Does it mean something wrong with the jail or it’s

Re: [Fail2ban-users] Banned IP continues its attempts, other IP isn't banned even after maxretry

On 17 September 2017 at 11:34, chaouche yacine wrote: > Hello Dominic, > > There was only 1 IP that was banned out of 4. The banned one has been > unbanned after bantime (1 day) so I can't find it in iptables : > > root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # iptables

Re: [Fail2ban-users] fail2ban or iptables?

On 8 September 2017 at 16:22, Eckert, Doug wrote: > CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and iptables-1.4.7-16.el6.x86_64 > > Not sure where my issue lies. It appears that f2b is processing the log > file(s) fine and adding 'iptables' rules, but I still see

[Fail2ban-users] Fail2ban jail with logging but no action (for testing)

Is it possible to modify a setting for a fail2ban jail such that it takes no real action but still logs what it would have done? Use case: I have two jails which are reacting to the same underlying event - a failed smtp auth login - sometimes one triggers and sometimes the other. I want to see if

Re: [Fail2ban-users] Fail2ban jail with logging but no action (for testing)

On 14 October 2017 at 07:02, Tony Collins wrote: > Yep - actually it looks like all you need is some kind of notification > that the IP address has triggered your jail. > > I have a jail that has one action: it sends me an email to tell me that an > IP address has failed

Re: [Fail2ban-users] configure fail2ban to use postfix for outgoing emails

On Thu, 2 Aug 2018 at 15:05, Aristos Vasiliou wrote: > 1) I left sendmail there because as already mentioned in my previous > email, it works, apparently as an alias to postfix > > 2) I only configured postfix. Obviously mail, mailx & sendmail, all > use the postfix configuration. > >

Re: [Fail2ban-users] f2b 0.10.2 / Ubuntu 18.04.1 LTS / iptables is empty

On Sat, 4 Aug 2018, 11:41 Christophe Thomas, wrote: > Hello, > > I'm using f2b on numerous server without an issue, they are most of them > on ubuntu 16.04 with f2b version 0.9.3. > > I've recently installed a ubuntu 18.04 on a raspberry pi, which comes with > f2b 0.10.2. I"ve configured f2b as

Re: [Fail2ban-users] configure fail2ban to use postfix for outgoing emails

On Thu, 2 Aug 2018 at 13:05, René Berber wrote: > On 8/2/2018 6:27 AM, Aristos Vasiliou wrote: > > > Ok bear with me please, I'm still struggling to understand the logic. > > > > So I figured out the email issue. > > > > *All three commands below can sent out email, no problem there.* > > > >

Re: [Fail2ban-users] fail2ban became unstable today

On Mon, 13 Aug 2018 at 20:26, James Moe via Fail2ban-users < fail2ban-users@lists.sourceforge.net> wrote: > Hello, > fail2ban 0.10.3 > linux 4.12.14-lp150.12.7-default x86_64 > > Fail2ban went unsane today. See the log sample below; there were many > more of those in the log file. >

Re: [Fail2ban-users] backend =

On Sat, 11 Aug 2018 at 20:05, Philip James Clarke via Fail2ban-users < fail2ban-users@lists.sourceforge.net> wrote: > I don’t know about an “easy way” I just do this > > # grep sshd_log `find /etc/fail2ban -type f` > /etc/fail2ban/paths-common.conf:sshd_log = %(syslog_authpriv)s >

Re: [Fail2ban-users] Hi all, basic question on fail2ban, how to start service

On Sat, 8 Dec 2018 at 01:44, Daniel Seita wrote: > Hi everyone, > > I am new to fail2ban and am trying to get it installed on one of my > systems. My goal is to limit how often others can ssh into the machine with > incorrect passwords. > > I posted my question on AskUbuntu: > > >

Re: [Fail2ban-users] iptables chains not created

On Fri, 21 Jun 2019 at 01:14, Bill Shirley wrote: > I use an ipset so I'm not authoritative on this, but I think the chains > are only > created when you get an actual ban. > yes and this is a change in 0.10 from previous versions of f2b, hence the OP's confusion.

Re: [Fail2ban-users] Is there any way to reload jail.local without unban

On Fri, 5 Jul 2019 at 10:08, Akshay Hegde wrote: > I see whenever I run > > fail2ban-client reload > > in fail2ban.log, fail2ban unban all ip first, then ban them again, > iptable nearly got around 3000 ips which are blocked. > > 2019-07-05 14:27:26,105 fail2ban.actions[4241]: NOTICE

Re: [Fail2ban-users] Reload action without full service restart?

On Tue, 2 Jul 2019 at 09:08, MI wrote: > Well, apparently it's not possible. > > "fail2ban-client reload" does everything (unban, re-ban, etc) for every > jail, which is what I want to avoid. > > "fail2ban-client reload $jail" does the same, except you would have to do > it for every jail > >

Re: [Fail2ban-users] Fwd: allowing incoming mail but blocking smtp logins?

On Tue, 3 Sep 2019 at 02:55, Mike wrote: > At 04:03 PM 9/2/2019, Nick Howitt wrote: > > I use postfix but my plan of attack is different. I only allow > authenticated logins on port 587 and block them on port 25. You have to > keep 25 open to receive mails from outside but the port now becomes

Re: [Fail2ban-users] maxretry maxfailures What's the deal ??

On Wed, 28 Aug 2019 at 12:41, Wayne Sallee wrote: > So is one for an old version, and the other for the newer version? > If so, which one is depreciated? > *From: * Dominic Raferd > > On Sun, 25 Aug 2019 at 21:25, Wayne Sallee <mailto:wa...@waynesallee.com>> wr

Re: [Fail2ban-users] port max?

On Wed, 28 Aug 2019 at 08:35, Nick Howitt wrote: > One thing I'd like to get hold of is a reliable list of all dynamic IP's > as used by some of the email RBL's. > I use fqrdns https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre in postfix and although it seems to be abandonware I

Re: [Fail2ban-users] maxretry maxfailures What's the deal ??

On Wed, 28 Aug 2019 at 16:32, Mike wrote: > At 07:25 AM 8/28/2019, Wayne Sallee wrote: > > Original Message > >*Subject: *  Re: [Fail2ban-users] maxretry maxfailures What's the deal > ?? > >*From: *     Dominic Raferd > >*To: *Â

Re: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin

I am not the OP... On Sat, 15 Feb 2020 at 13:30, Dudi Goldenberg wrote: > Exactly. > > > > Your previous mail says: > > > > failregex = ^ -.*(?:%(denied)s)$ > > But in the test command you have “from $” at the line end, so it > works. > > > > Rega

Re: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin

Is the log file really /var/log/secure and not say /var/log/secure.log? Also, you have maxretry set to 3 which is fine but this means it will only trigger a block after triggering 3x. On Sat, 15 Feb 2020 at 14:42, Henrique Fagundes wrote: > LogPath: > > [phpmyadmin] > enabled = true > port =

Re: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin

ly it > didn't work! Is there anything else I can try? > > I'm grateful! > > Ativado Sáb, 15 fev 2020 05:37:26 -0300 Dominic Raferd < > domi...@timedicer.co.uk> escreveu > > > > > > On Sat, 15 Feb 2020 at 01:54, Henrique Fagundes < &g

Re: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin

On Sat, 15 Feb 2020 at 01:54, Henrique Fagundes wrote: > Dear Colleagues, > > I begin by apologizing for any communication error, as I am Brazilian and > I still try to adapt with the English language. > > I'm having a hard time getting Fail2Ban to work on phpmyadmin. > > I'm using CentOS

Re: [Fail2ban-users] Postfix submission

Indeed. See my postfix-failedauth jail at https://github.com/fail2ban/fail2ban/issues/2200 Dominic On Wed, 1 Jan 2020, 15:37 Bill Shirley, wrote: > I think the 'auth=0/1' is the number of successful logins vs login > attempts. You should be > able to key off of this with your failregex. > >

Re: [Fail2ban-users] already banned IP showing over and over in fail2ban.log, recidive not triggered?

On Wed, 11 Mar 2020 at 18:13, Robert Kudyba wrote: > Why would the recidive jail not be picking up on this IP? See the jail > settings at the end. > > 2020-03-11 11:14:29,382 fail2ban.actions[1539290]: WARNING > [pam-generic] 150.136.217.144 already banned > 2020-03-11 11:14:30,602

Re: [Fail2ban-users] general question

On Thu, 7 May 2020 at 13:21, Verhoeven Herman wrote: > Hi, I have last week installed fail2ban and i think it's working fine. > Yesterday i installed a VPN and in my Telenet Router (i'am living in > Belgium) the DMZ is set to ip 192.168.0.135 what is the address of my > Raspberry PI4. In the

Re: [Fail2ban-users] need help with filterd/postfix.conf

On Fri, 8 May 2020 at 23:02, Doug Preston via Fail2ban-users wrote: > > more filter.d/postfixconf help needed. > I have a log entry in maillog I am trying trigger fail2ban with. I > actually want to trigger on anything with the following > after EHLO from unknown[xxx.xxx.xxx.xxx] > May 5

Re: [Fail2ban-users] apache-fakegooglebot

On Wed, 20 May 2020 at 17:18, wrote: > I have installed Fail2ban on my Debian server which contains some websites. > > I have activated the "apache-fakegooglebot" filter ... now in the fail2ban > logs I see lines like this: > > 2020-05-20 17:15:43,161 fail2ban.filter [1218]: INFO >

Re: [Fail2ban-users] Limiting Log Entries in Email Notifications

On Sun, 11 Oct 2020 at 21:10, Dan Egli wrote: > > On 10/9/2020 6:56 AM, J. Smith wrote: > > Is there a way to limit the log listings in the email notifications to the > last “n” number of entries in the log? The “sendmail-whois-lines.conf” file > uses “grep –m” to limit the number of entries

Re: [Fail2ban-users] Fail2ban not catching offenders

On Fri, 16 Oct 2020 at 02:43, Dan Egli wrote: > > I have no idea why this is happening, but all of a sudden fail2ban isn't > catching any offenders who try to use an AUTH command when it's not > advertised. Here's an example from my logs: > > 2020-10-15 19:28:58.395 SMTP protocol error in "AUTH

Re: [Fail2ban-users] Fail2ban not catching offenders

On Sat, 17 Oct 2020 at 02:40, Dan Egli wrote: > > On 10/16/2020 11:39 AM, Dan Egli wrote: > > Okay. fail2ban-regex finally recognised something. The string I > > searched for was: > > H=(.*) .* AUTH command used when not advertised > > > > I'll try plugging that into my exim.local and see how

Re: [Fail2ban-users] How to not ban a range of IP addresses

Use the ignoreip parameter. You can create this in your jail.local either for an individual jail or, for all jails, in the [DEFAULT] section. ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 On Thu, 20 Aug 2020 at 23:32, James Moe via Fail2ban-users wrote: > > fail2ban 0.10.4 > >

Re: [Fail2ban-users] what does this message mean?

On 13/12/2020 06:36, Mike wrote: 2020-12-13 00:29:36,200 fail2ban.filtersystemd  [1026]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. Can someone explain that to me?  Is this error

Re: [Fail2ban-users] Protect Postfix using Fail2ban: quick question

On 16/05/2021 10:55, Nicolas Kovacs wrote: Hi, One of my mail servers is running Oracle Linux 7 (a RHEL clone like CentOS). These last days it's been under heavy attack, and Postfix was brought to its knees a few times. Up until now I only used Fail2ban to protect SSH, which I did in a

Re: [Fail2ban-users] User defined variable in jail.local not working

On 02/07/2021 09:23, Nick Howitt wrote: I had a thread in April (https://www.mail-archive.com/fail2ban-users@lists.sourceforge.net/msg02953.html) about using my own variable and then incorporating it into the ignoreip line as I could then maintain it programmatically for my distro, but it

Re: [Fail2ban-users] Can I use my own variable in in jail.conf/jail.local

On 30/04/2021 08:38, Nick Howitt wrote: Hi, Can I define and use my own variable in the jail.local file? My use case is to programmatically whitelist the local LAN in a package for all users of ClearOS (like Centos7). It would be something I'd like to be able to toggle on an off subject to

Re: [Fail2ban-users] ban on disconnect before preauth

On 08/02/2021 03:30, Doug Preston via Fail2ban-users wrote: Can anyone help with this? I need to ban the following log entries Feb  7 14:08:30 web sshd[2820237]: Disconnected from authenticating user root 146.56.231.240 port 41748 [preauth] Feb  7 14:09:04 web sshd[2820247]: Received disconnect

Re: [Fail2ban-users] Reload / Restart of fail2ban-client

On 16/02/2021 06:44, Philip via Fail2ban-users wrote: Curious to know if it was intended for*fail2ban-client reload* to act the same way as stop/start. I would have expected a reload to reload jails without going though a complete unban then re-ban process. What version of fail2ban are you

Re: [Fail2ban-users] Debug unbanip

On 19/02/2021 21:52, Sergei Gerasenko wrote: Hi, I'm relatively new to fail2ban and I can't understand why I can't unban an ip using the client. I /can/ do it using iptables directly but not using the client. I'm running fail2ban v0.11. My configuration is like this (the important bits):

Re: [Fail2ban-users] After a year, f2b not blocking anything since login-shield in use

On 21/02/2021 03:47, Mike wrote: After more than a year of using the login-shield front end, this is the first time I noticed I have ZERO fail2ban blocks... I have been using the blacklist login-shield on my web server (hosting about 40-50 different web sites for various clients).  It is now

Re: [Fail2ban-users] fail2ban.log date/time format

On 10/11/2021 10:54, Foo Bar wrote: Hi, I use Fail2Ban v0.11.2 on my OpenBSD 7.0 server. The date/time of events in fail2ban.log looks like unix timestamps: +86282700 2876576C40 fail2ban.filter   INFO  [iplog] Found 89.248.165.247 - 2021-11-10 11:33:53 +86283319 2876576040

Re: [Fail2ban-users] Ubuntu 20.04: fail2ban starts, then stops

With Ubuntu 20.04 fail2ban is usually controlled directly by systemd, not via /etc/init.d/. The instructions you followed are very old. Some more modern ones can be found at https://linuxize.com/post/install-configure-fail2ban-on-ubuntu-20-04/. On 22/07/2021 18:53, Dan Morton wrote: I’ll

Re: [Fail2ban-users] fail2ban with iptables and "invalid port/service"

On 16/07/2021 08:34, Nick Howitt wrote: On 16/07/2021 06:23, Dominic Raferd wrote: On 16/07/2021 03:06, Alex wrote: Hi, I'm trying to use fail2ban with iptables because it's what I'm most comfortable using and this is on a real server with an extensive list of rules, not a home desktop. I

Re: [Fail2ban-users] Adding to postfix filter

On 15/07/2021 23:43, Alex wrote: Hi, I'm using fail2ban-0.11 on fedora33 and would like to add the following syslog entry to my postfix file: Jul 15 18:41:26 cipher postfix/submission/smtpd[1935971]: warning: wsip-24-249-23-200.ks.ks.cox.net[24.249.23.200]: SASL LOGIN authentication failed:

Re: [Fail2ban-users] fail2ban with iptables and "invalid port/service"

On 16/07/2021 03:06, Alex wrote: Hi, I'm trying to use fail2ban with iptables because it's what I'm most comfortable using and this is on a real server with an extensive list of rules, not a home desktop. I have the following in my jail.d/00-firewalld.conf: banaction = iptables

Re: [Fail2ban-users] multiline match?

On 07/03/2022 10:37, Richard Hector wrote: On 7/03/22 23:15, Richard Hector wrote: On 6/03/22 20:54, Dominic Raferd wrote: On 06/03/2022 04:35, Richard Hector wrote: I have lines like these in my logs (reported by logcheck, in this case): Mar  6 16:17:38 akl-host6 sshd[33035]: error

Re: [Fail2ban-users] multiline match?

On 06/03/2022 04:35, Richard Hector wrote: I have lines like these in my logs (reported by logcheck, in this case): Mar  6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar  6 16:17:38 akl-host6 sshd[33035]: Connection closed by