Re: [Fail2ban-users] custom parameter from filter in action

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05-05-15 00:09, Constantin Bugneac wrote: Hi All, How can I reference a custom parameter (not default ones like HOST or ip) in action file which is taken from filter regex? Here is the line in filter file: … failregex =

Re: [Fail2ban-users] Sogo + fail2ban

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04-06-15 17:13, Kamaldeep Singh wrote: Hi On Thursday 04 June 2015 07:50 PM, Yves wrote: The ? near the end of your RE seems to indicate that the whole contents of the parenthesis is optional. I wrote too fast and wrongly included actual

Re: [Fail2ban-users] Regex for Postfix

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 19-06-15 21:25, Carmel NY wrote: I just started using 'fail2ban and have not figured out how to create a custom filter. I am running Postfix-3.0.1 on a FreeBSD 10.1 system. My mail-log is filling up with entries like this: Jun 19

Re: [Fail2ban-users] sendmail-whois-lines says log is /dev/null?

rs, dest=i...@domain.com, sender=fail2...@domain.com, sendername="Fail2Ban", logpath=/var/log/httpd/*access_log] Regards, Tom On 02-11-15 17:27, Bond Masuda wrote: > On 11/02/2015 07:50 AM, Tom Hendrikx wrote: >> Hi, >> >> Please show jail config for the rel

Re: [Fail2ban-users] Required kernel modules

On 31-08-15 15:25, Ali Metin wrote: > > > >>> So what is the answer? How can I load xt_set module in my case to >>> make fail2ban work? >> >> Are they a requirement for fail2ban? My openSUSE 13.1 server is >> running kernel 3.11.10 desktop and fail2ban 0.9.2 and doesn't have >> xt_set loaded

Re: [Fail2ban-users] Can't

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 15-09-15 18:28, Steve Watkins wrote: > I just installed fail2ban on OS X 10.10 Yosemite using MacPorts. > It appears to be working, or at least running, in that it created a > log file and I got no errors when I ran start>. > > The instructions

Re: [Fail2ban-users] Huge ipset reboot problem?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Maybe an interesting side note: fail2ban is built to quickly ban *and* unban problematic ip addresses. The whole nature of fail2ban is (IMHO) in the fact that it automatically unbans ip addresses after a while. However, you state that you have

Re: [Fail2ban-users] Huge ipset reboot problem?

asn't really looking into this part of your problem, just trying to solve your "how do I manage a lot of perm bans efficiently" problem. > > If you know how to cleanly disable the sqlite functionality I would > be grateful for the heads-up. > > Charles Bradshaw >

Re: [Fail2ban-users] Fail2Ban sends mails only once

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, The debug logging from fail2ban shows that the message is sent successfully to the sendmail program. Can you find logging from your mail server (postfix, sendmail) that confirms that the message sent on to gmail? Regards, Tom On

Re: [Fail2ban-users] getting IP address out of postfix logline that doesn't have the IP ?

On 13-04-16 00:03, jaso...@mail-central.com wrote: > I have a postfix postqueue Amavis filter set up to do A/V scanning. > > Right now, it's configured to DISCARD virus-tagged content. > > It works as far as detection and discard goes. > > I want to run fail2ban over the Postfix logs to

Re: [Fail2ban-users] block smtp auth if successful logins come from different IPs in a very short period of time

On 14-09-16 15:28, Marcus Schopen wrote: > Hi, > > I use fail2ban to block smtp auth failures. A few weeks ago a notebook > was infected and after that I saw massiv logins using this account on my > smtp relay from world wide fast changing IPs . Ratelimits on smtp auth > users blocked most of

Re: [Fail2ban-users] Persistent ssh bots

On 09-09-16 08:49, Mitchell Krog Photography wrote: > Saw one reply this morning about changing SSH to a different port. Not > sure why people go changing their SSH port from 22 to something else, > does not achieve anything, might just make you feel more secure. Go read > about security through

Re: [Fail2ban-users] Fail2ban fails to start when mta = mail

On 04-11-16 15:47, Dave Macias wrote: > Hello, > > Currently we have a basic postfix setup to send mail from the local box. > > This works: >> echo "message" | mail -s subject em...@email.com > > i have a jail under jail.d called sshd2.local > >> [DEFAULT] >> ignoreip

Re: [Fail2ban-users] Error running non-shared postrotate script for /var/log/fail2ban.log of '/var/log/fail2ban.log '

On 25-11-16 14:05, dan...@msw.it wrote: > Il 2016-11-24 21:47 Tom Hendrikx ha scritto: >> >> You made a typo in the config file, which made fail2ban fail on an >> earlier restart. The logrotate just tripped over the fact that f2b >> wasn't running some days later. >

Re: [Fail2ban-users] Error running non-shared postrotate script for /var/log/fail2ban.log of '/var/log/fail2ban.log '

On 24-11-16 19:06, dan...@msw.it wrote: > Hi friends, > on my first VPS Debian Jessie and Postfix/Dovecot, and > I've found this error on root mail: > > > /etc/cron.daily/logrotate: > ERROR Unable to contact server. Is it running? > error: error running non-shared postrotate script for >

Re: [Fail2ban-users] Understanding hierarchically-nested regular expressions used in fail2ban

Hi, That is indeed not regular expression syntax, it is python string formatting, used to generate the regex. This string is used also in the fail2ban config files in various distros to setup jails (although I think that the config file gets less readable from this, especially for

Re: [Fail2ban-users] Adjust fail2ban log to include affected domain

On 28-11-16 23:40, Matthew Demaree wrote: > It's great the log tells me what bans and what is unbanned or what > IPs were found to violate a jail, but I am really interested in > knowing which domain the offense was triggered against. > > Example: > > Currently 2016-11-28 16:52:44,838 filter

Re: [Fail2ban-users] Customized iptables action

On 28-12-16 16:04, Andrea wrote: > Hi all. > > I am trying to implement a custom ban action to integrate in my current > iptables setup. > I have created a dedicated chain in order to log connections at iptables > level and I would like for fail2ban to use it as well. > AFAIK what I have so far

Re: [Fail2ban-users] ProFtpd DROP net-fw TLS connection from client ftp

in proftpd, maybe it can do both protocols. The commmand "sudo netstat -tunlp | grep -i proftp" will show you on which ports your running instance of proftpd is listening. Then decide which ports you need to open in your firewall. Anyway, this is no fail2ban question :) Good luck, To

Re: [Fail2ban-users] Any way to increase ban probability for previously banned IPs?

Hi, The recidive jail does this , to some extent. Maybe it's already enough for what you need? Kind regards, Tom On 01-06-17 07:34, Philip Warner wrote: > I've set up a ban that runs for B time after F fails in T minutes. > > After each IP is un-banned, what I would like to do is,

Re: [Fail2ban-users] my dovecot filter not working

Hi, The default jail does not check on the lines you mention. Not really weird, since the log message explicitly states that no auth attempt is performed. Somebody is connecting but did not send auth details, and your dovecot didn't tell them whether the auth credentials were working or not.

Re: [Fail2ban-users] IP isn't banned even after maxretry

On 29-10-17 12:10, chaouche yacine via Fail2ban-users wrote: > > I configured my postfix-long jail to read from mail.warn : > > root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get > postfix-sasl-long logpath > Current monitored log file(s): > `- /var/log/mail.warn >

Re: [Fail2ban-users] IP isn't banned even after maxretry

WARNING [postfix-sasl-long] > Ban 187.178.172.36 > > > On Sunday, October 29, 2017 12:42 PM, Tom Hendrikx <t...@whyscream.net> wrote: >> Does your regex work when you test it using fail2ban-regex? > > I use the default postfix-sasl regex which had 700+ m

Re: [Fail2ban-users] fail2ban-regex -- ERROR: failed to read

Hi Ken, maybe fail2ban was upgraded recently on your machine? My ubuntu 16.04 machine (fail2ban version 0.9.3-1) won't read config files too unless I hand it a full path. This however works for me: $ cd /etc.fail2ban/filters.d $ fail2ban-regex /var/log/whatever.log $PWD/myfilter.conf Kind

Re: [Fail2ban-users] Fail2ban tailing symlinked log files

On 27-01-18 13:32, Roman Pikalo wrote: > Hello  > > I am trying to run fail2ban on my machine. > I have configured it to tail a docker container log file:  > > [nginx-http-auth] > > enabled = true > filter  = nginx-http-auth > port    = http,https > logpath = /var/log/docker/nginx.log > >

Re: [Fail2ban-users] Fehler zwischen Fail2Ban und Python

installed python-pip > 2) remove fail2ban with apt > 3) remove fail2ban with pip  > 4) install fail2ban with apt  > 5) status fail2ban - error  > > Unsupported pickle protocol.  > > Is it possible to clean the packages or something else?  > > itsebiGami

Re: [Fail2ban-users] Fehler zwischen Fail2Ban und Python

Hi, Yes, the files in /usr/local are from a manual install. Probably you can remove the install using pip: sudo pip uninstall fail2ban. To avoid messing up your ubuntu install, consider to uninstall the ubuntu package first, then remove the manual install, then reinstall the ubuntu package again.

[Fail2ban-users] Fwd: Re: Fehler zwischen Fail2Ban und Python

Forwarded Message Subject:Re: [Fail2ban-users] Fehler zwischen Fail2Ban und Python Date: Thu, 8 Feb 2018 19:02:16 +0100 From: itsebiGaming <itsebigam...@gmail.com> To: Tom Hendrikx <t...@whyscream.net> Solved the problem. I deleted the file in u

Re: [Fail2ban-users] Fehler zwischen Fail2Ban und Python

On 08-02-18 16:57, itsebiGaming wrote: > Beiträge: 3 > > > Zitieren > Beitrag 7. Februar 2018 > 21:54 (zuletzt bearbeitet: 7. Februar 2018

Re: [Fail2ban-users] recidive filter ignores ignoreregex?

Hi Michael, Please show your actual config, both .conf and .local. The 'ignoreregex' is supposed to be a regular expression that ignores log lines. When you want to ignore specific ip addresses, you should set 'ignoreip'. Kind regards, Tom On 03-08-18 00:57, Michael Fox wrote: > Any

Re: [Fail2ban-users] dovecot and postfix jail with extra SSL logging

Disconnected)?)?(, > session=<\S+>)?\s*$' > > Running tests > = > Use failregex line : ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?... > Use log file : /var/log/mail.log > Use encoding : UTF-8 > > Results > === > Fail

Re: [Fail2ban-users] Stuck here

On 29-03-18 20:54, Ben Coleman wrote: > On 3/29/2018 5:35 AM, Jaydeep Zala wrote: >> Hello guys, >> How can I whitelist my IP's dynamically, means from SQL query..? >> anyone have an idea about this? > > I think you'd have to generate a local .conf file (perhaps in jail.d) > that contains an

Re: [Fail2ban-users] fail2ban + geoip ?

On 13-10-18 01:56, Mark Costlow wrote: > I have a jail which blocks IPs if they fail too many auth to our > mail servers. I want to add a separate jail which does the same > but with more aggressive thresholds (like maxretry=2 instead of > maxretry=10) but only if the IP is from outside our

Re: [Fail2ban-users] jail for sendmail greylisting?

Hi, That is not a good idea, maybe you don't understand greylisting? When a new host connects and tries to deliver a message, the host is greylisted and told to return some time later. MTAs don't understand the actual time that is communicated, they just try again later based on their own

Re: [Fail2ban-users] IP's in recidive jail with bantime=-1 gets unbanned

On 23-01-19 20:05, Robert Kudyba wrote: > Is there something wrong with our configuration? Why would any IP that > gets permanently banned get unbanned? jail.local is below, logs showing > unban and recidive is as follows. Is there some overlap in the findtime > option? The sshd jail bans and

Re: [Fail2ban-users] Filter DNS DoS with Fail2Ban

On 07-12-18 15:15, James Bellegarde wrote: > Hello, > > Actually, I'm looking for a way to configure dnsmasq against DNS DoS > attack. > > Fail2ban is one of the must famous service that provide this type of > filter but only for BIND services. Is there a filter working with the > dnsmasq's logs

Re: [Fail2ban-users] Odd Fail2ban email alert issue

On 12-04-19 15:33, David Shuman wrote: Good morning, I'm an amateur with linux and toy around with a VPS for a few years now.  I've used Fail2ban to help protect it and have for many years. I've never had this issue before, but now all my emails sent about blocks have the wrong hostname in

Re: [Fail2ban-users] Regex not working

On 11-06-19 23:09, James Moe via Fail2ban-users wrote: fail2ban v0.10.3 linux v4.12.14-lp150.12.58-default x86_64 The second regex (...Error Code=unknown...) below is not matching the second example. fail2ban-regex was not helpful even with --verbosity=4; it only matched the date pattern.

Re: [Fail2ban-users] fail2ban ban's being dropped/disappear without noticed

Hi, The shorewall jail is a just a command that tells the running shorewall instance to ban the ip adress. Depending on the version of shorewall you're using, the ban might never be stored on disk. See http://shorewall.org/blacklisting_support.htm#idm43 for details. If there is anything

Re: [Fail2ban-users] details on updates?

Hi, This is an open source project, so developer time is mostly put in by volunteers. They can only answer questions as time permits. There is no reason to judge volunteers as "having a stuck up attitude" when they are just enjoying the weekend with their families (or any other pastime they

Re: [Fail2ban-users] fail2ban and roundcubemail on centos 8

Hi, Your fail regex does not extract an IP address or host from the log line, so fail2ban will not know which host to ban. try : failregex = IMAP Error: Login failed for .* against localhost from \. Kind regards,     Tom On 28-12-2019 15:48, Davide Perini wrote: Hi all, guys. Hope you

Re: [Fail2ban-users] Block external ip address issue at fail2ban with docker & owncloud

Hi, Probably you need to use a different iptables chain to block the requests to your docker instance. In /etc/fail2ban/action.d/iptables-common.conf, the iptables chain that is used is defined. By default this is "INPUT", but in your case this should probably be changed to "FORWARD". I'm

Re: [Fail2ban-users] Block external ip address issue at fail2ban with docker & owncloud

ted problem per your suggestion. I would take time to read iptables firstly. Thank you for your hints. Regards Miss Poon On Sun, Mar 29, 2020 at 10:29 AM Tom Hendrikx wrote: Hi, Probably you need to use a different iptables chain to block the requests to your docker instance. In /etc/fail2b

Re: [Fail2ban-users] Mail notifications not including whois info

Hi, there are may dofferent whois clients (it's a simply binary which can query various whois servers around the world. Not all whois clients support all features. It seems that (from your example) the whois client on your docker host supports querying by ip-address, but the whois binary

Re: [Fail2ban-users] Mail notifications not including whois info

: lrwxrwxrwx   1 root root  12 Mar 26 18:40  whois -> /bin/busybox *From:* Tom Hendrikx *Sent:* Saturday, May 2, 2020 10:10 AM *To:* fail2ban-users@lists.sourceforge.net *Subject:* Re: [Fail2ban-users] Mail notifications not including whois info Hi, there are may dofferent whois clients (it's a sim

Re: [Fail2ban-users] Getting CRITICAL error after 'unban'

On 26-09-2020 23:29, Chris Green wrote: I have just installed fail2ban on a virtual server I run on Gandi Internet in France. The virtual server runs Ubuntu 8.04.5 LTS and I installed fail2ban from the standard repositories, version 0.10.2-2. I haven't changed the configuration at all, I just

Re: [Fail2ban-users] recidive jail set, but IP still gets in

Hi Yassine, The shorewall action does not ban on a per-jail basis, but puts all ip-addresses on a single blacklist, as that is how shorewall works. In the original recidive implementation (which I wrote) it was especially mentioned that you shouldn't use the same jail action for the

Re: [Fail2ban-users] "Already banned" makes no sense

Hi, Apparently the ip-address 'should' be banned according to fail2ban's internal administration, but there is still activity coming in, triggering new bans. This can happen if your banning technique is broken, the configuration is broken, etc. F.i. you could configure the apache jail to