Re: Archlinux fail2ban not working

Maykel Franco via arch-general <arch-general@xxxxxxxxxxxxx> · Fri, 1 Nov 2019 18:03:54 +0100

El vie., 1 nov. 2019 17:32, Justin Capella via arch-general <
arch-general@xxxxxxxxxxxxx> escribió:

> Your regex doesn't look like it would match. If <HOST> is substituted for
> your hostname that part of the regex would need to be before the unknown
> user part
>
> On Fri, Nov 1, 2019, 2:51 AM Maykel Franco via arch-general <
> arch-general@xxxxxxxxxxxxx> wrote:
>
> > Hi, I have this rule:
> >
> > jail.conf:
> >
> > [app-user]
> > enabled = true
> > port = 443
> > filter = user-app
> > logpath = /var/log/user-app.log
> > findtime = 1200
> > bantime = 480
> > maxretry = 3
> >
> > -------------------------------
> >
> > filter.d:
> >
> > user-app.conf
> >
> >
> > [Definition]
> >
> > failregex = Unknown User .* \(<HOST>:.*\)
> >
> > ignoreregex =
> >
> > -------------------------------
> >
> > The content is logfile test /var/log/user-app.log:
> >
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> >
> > -------------------------------
> >
> > And when test it, not working:
> >
> > fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf
> >
> > Running tests
> > =============
> >
> > Use   failregex filter file : user-app, basedir: /etc/fail2ban
> > Use         log file : user-app.conf
> > Use         encoding : UTF-8
> >
> >
> > Results
> > =======
> >
> > Failregex: 0 total
> >
> > Ignoreregex: 0 total
> >
> > Date template hits:
> > |- [# of hits] date format
> > |  [6] {^LN-BEG}24hour:Minute:Second
> > `-
> >
> > Lines: 6 lines, 0 ignored, 0 matched, 6 missed
> > [processed in 0.02 sec]
> >
> > |- Missed line(s):
> > |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> > |  [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2)
> >
> > Whats wrong? Maybe the left timestamp?
> >
> > Thanks in advanced.
> >
>

The HOST is ip public my client, no hostname. I don't understand.

>