fail2ban matches regular expressions but does not ban

Question

Score:0

Server

fail2ban matches regular expressions but does not ban

Rasmus

4/28/24, 2:05 PM

I'm trying to set up fail2ban to monitor our traefik access logs but I'm not getting fail2ban to actually ban anything even though fail2ban-regex shows a lot of matches.

I've also specified loglevel = HEAVYDEBUG for fail2ban but it's not logging anything special to my logtarget (/var/log/fail2ban.log)

I've checked that pyinotify is installed. I also tried switching for a polling backend but the results are all the same.

fail2ban version: 0.11.1-1
Ubuntu version: Ubuntu 20.04.6 LTS

This is the output I'm getting from fail2ban-regex:

Use   failregex filter file : wordpress-general-forceful-browsing, basedir: /etc/fail2ban
Use      datepattern : "StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",
Use         log file : /opt/traefik/logs/access.log
Use         encoding : UTF-8


Results
=======

Failregex: 488 total
|-  #) [# of hits] regular expression
|   1) [488] ^{"ClientAddr":"<F-CLIENTADDR>.*</F-CLIENTADDR>","ClientHost":"<HOST>","ClientPort":"<F-CLIENTPORT>.*</F-CLIENTPORT>","ClientUsername":"<F-CLIENTUSERNAME>.*</F-CLIENTUSERNAME>","DownstreamContentSize":<F-DOWNSTREAMCONTENTSIZE>.*</F-DOWNSTREAMCONTENTSIZE>,"DownstreamStatus":<F-DOWNSTREAMSTATUS>.*</F-DOWNSTREAMSTATUS>,"Duration":<F-DURATION>.*</F-DURATION>,"OriginContentSize":<F-ORIGINCONTENTSIZE>.*</F-ORIGINCONTENTSIZE>,"OriginDuration":<F-ORIGINDURATION>.*</F-ORIGINDURATION>,"OriginStatus":(405|404|403|402|401),"Overhead":<F-OVERHEAD>.*</F-OVERHEAD>,"RequestAddr":"<F-REQUESTADDR>.*</F-REQUESTADDR>","RequestContentSize":<F-REQUESTCONTENTSIZE>.*</F-REQUESTCONTENTSIZE>,"RequestCount":<F-REQUESTCOUNT>.*</F-REQUESTCOUNT>,"RequestHost":"<F-CONTAINER>.*</F-CONTAINER>","RequestMethod":"<F-REQUESTMETHOD>.*</F-REQUESTMETHOD>","RequestPath":"<F-REQUESTPATH>.*</F-REQUESTPATH>","RequestPort":"<F-REQUESTPORT>.*</F-REQUESTPORT>","RequestProtocol":"<F-REQUESTPROTOCOL>.*</F-REQUESTPROTOCOL>","RequestScheme":"<F-REQUESTSCHEME>.*</F-REQUESTSCHEME>","RetryAttempts":<F-RETRYATTEMPTS>.*</F-RETRYATTEMPTS>,.*"StartLocal":"<F-STARTLOCAL>.*</F-STARTLOCAL>","StartUTC":"<F-STARTUTC>.*</F-STARTUTC>","TLSCipher":"<F-TLSCIPHER>.*</F-TLSCIPHER>","TLSVersion":"<F-TLSVERSION>.*</F-TLSVERSION>","entryPointName":"<F-ENTRYPOINTNAME>.*</F-ENTRYPOINTNAME>","level":"<F-LEVEL>.*</F-LEVEL>","msg":"<F-MSG>.*</F-MSG>",("request_User-Agent":"<F-USERAGENT>.*</F-USERAGENT>",){0,1}?"time":"<F-TIME>.*</F-TIME>"}$
`-

Ignoreregex: 128 total
|-  #) [# of hits] regular expression
|   1) [128] ^{"ClientAddr":"<F-CLIENTADDR>.*</F-CLIENTADDR>","ClientHost":"<HOST>","ClientPort":"<F-CLIENTPORT>.*</F-CLIENTPORT>","ClientUsername":"<F-CLIENTUSERNAME>.*</F-CLIENTUSERNAME>","DownstreamContentSize":<F-DOWNSTREAMCONTENTSIZE>.*</F-DOWNSTREAMCONTENTSIZE>,"DownstreamStatus":<F-DOWNSTREAMSTATUS>.*</F-DOWNSTREAMSTATUS>,"Duration":<F-DURATION>.*</F-DURATION>,"OriginContentSize":<F-ORIGINCONTENTSIZE>.*</F-ORIGINCONTENTSIZE>,"OriginDuration":<F-ORIGINDURATION>.*</F-ORIGINDURATION>,"OriginStatus":(405|404|403|402|401),"Overhead":<F-OVERHEAD>.*</F-OVERHEAD>,"RequestAddr":"<F-REQUESTADDR>.*</F-REQUESTADDR>","RequestContentSize":<F-REQUESTCONTENTSIZE>.*</F-REQUESTCONTENTSIZE>,"RequestCount":<F-REQUESTCOUNT>.*</F-REQUESTCOUNT>,"RequestHost":"<F-REQUESTHOST>.*</F-REQUESTHOST>","RequestMethod":"<F-REQUESTMETHOD>.*</F-REQUESTMETHOD>","RequestPath":"<F-REQUESTPATH>.*(\.png|\.webp|\.jpe?g|\.gif|\.mp3|\.mov|\.mp4|\.json|\.map|\.ico|\.js|\.css|\.ttf|\.woff|\.woff2)(/)*?</F-REQUESTPATH>","RequestPort":"<F-REQUESTPORT>.*</F-REQUESTPORT>","RequestProtocol":"<F-REQUESTPROTOCOL>.*</F-REQUESTPROTOCOL>","RequestScheme":"<F-REQUESTSCHEME>.*</F-REQUESTSCHEME>","RetryAttempts":<F-RETRYATTEMPTS>.*</F-RETRYATTEMPTS>,.*"StartLocal":"<F-STARTLOCAL>.*</F-STARTLOCAL>","StartUTC":"<F-STARTUTC>.*</F-STARTUTC>","TLSCipher":"<F-TLSCIPHER>.*</F-TLSCIPHER>","TLSVersion":"<F-TLSVERSION>.*</F-TLSVERSION>","entryPointName":"<F-ENTRYPOINTNAME>.*</F-ENTRYPOINTNAME>","level":"<F-LEVEL>.*</F-LEVEL>","msg":"<F-MSG>.*</F-MSG>",("request_User-Agent":"<F-USERAGENT>.*</F-USERAGENT>",){0,1}?"time":"<F-TIME>.*</F-TIME>"}$
`-

Date template hits:
|- [# of hits] date format
|  [24435] "StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",
`-

Lines: 24435 lines, 128 ignored, 488 matched, 23819 missed
[processed in 19.73 sec]

This is my output from fail2ban-client status

Status
|- Number of jail:  3
`- Jail list:   sshd, wordpress-auth, wordpress-general

And this is my output from /var/log/fail2ban.log

2023-04-28 15:21:29,943 fail2ban.server         [1831210]: INFO    Starting Fail2ban v0.11.1
2023-04-28 15:21:29,943 fail2ban.server         [1831210]: INFO    Daemon started
2023-04-28 15:21:29,943 fail2ban.observer       [1831210]: INFO    Observer start...
2023-04-28 15:21:29,951 fail2ban.database       [1831210]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-04-28 15:21:29,952 fail2ban.jail           [1831210]: INFO    Creating new jail 'sshd'
2023-04-28 15:21:29,962 fail2ban.jail           [1831210]: INFO    Jail 'sshd' uses pyinotify {}
2023-04-28 15:21:29,965 fail2ban.jail           [1831210]: INFO    Initiated 'pyinotify' backend
2023-04-28 15:21:29,967 fail2ban.filter         [1831210]: INFO      maxLines: 1
2023-04-28 15:21:29,986 fail2ban.filter         [1831210]: INFO      maxRetry: 5
2023-04-28 15:21:29,986 fail2ban.filter         [1831210]: INFO      findtime: 600
2023-04-28 15:21:29,986 fail2ban.actions        [1831210]: INFO      banTime: 600
2023-04-28 15:21:29,986 fail2ban.jail           [1831210]: INFO    Set banTime.increment = True
2023-04-28 15:21:29,986 fail2ban.jail           [1831210]: INFO    Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:29,986 fail2ban.jail           [1831210]: INFO    Set banTime.rndtime = 2048
2023-04-28 15:21:29,987 fail2ban.filter         [1831210]: INFO      encoding: UTF-8
2023-04-28 15:21:29,987 fail2ban.filter         [1831210]: INFO    Added logfile: '/var/log/auth.log' (pos = 461226, hash = bdb63f55b88b6f0ed320e1dc41b35bdf05ceb27e)
2023-04-28 15:21:29,988 fail2ban.jail           [1831210]: INFO    Creating new jail 'wordpress-general'
2023-04-28 15:21:29,988 fail2ban.jail           [1831210]: INFO    Jail 'wordpress-general' uses pyinotify {}
2023-04-28 15:21:29,991 fail2ban.jail           [1831210]: INFO    Initiated 'pyinotify' backend
2023-04-28 15:21:29,997 fail2ban.datedetector   [1831210]: INFO      date pattern `'"StartLocal":"%Y-%m-%d[T]%H:%M:%S\\.%f\\d*[Z](%z)?",'`: `"StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",`
2023-04-28 15:21:29,997 fail2ban.filter         [1831210]: INFO      maxRetry: 5
2023-04-28 15:21:29,997 fail2ban.filter         [1831210]: INFO      findtime: 60
2023-04-28 15:21:29,998 fail2ban.actions        [1831210]: INFO      banTime: 600
2023-04-28 15:21:29,998 fail2ban.jail           [1831210]: INFO    Set banTime.increment = True
2023-04-28 15:21:29,998 fail2ban.jail           [1831210]: INFO    Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:29,998 fail2ban.jail           [1831210]: INFO    Set banTime.rndtime = 2048
2023-04-28 15:21:29,998 fail2ban.filter         [1831210]: INFO      encoding: UTF-8
2023-04-28 15:21:29,998 fail2ban.filter         [1831210]: INFO    Added logfile: '/opt/traefik/logs/access.log' (pos = 20143198, hash = c29bd2d433a5900e0dc59f30ce688fdcd73e1b7e)
2023-04-28 15:21:29,999 fail2ban.jail           [1831210]: INFO    Creating new jail 'wordpress-auth'
2023-04-28 15:21:29,999 fail2ban.jail           [1831210]: INFO    Jail 'wordpress-auth' uses pyinotify {}
2023-04-28 15:21:30,002 fail2ban.jail           [1831210]: INFO    Initiated 'pyinotify' backend
2023-04-28 15:21:30,006 fail2ban.datedetector   [1831210]: INFO      date pattern `'"StartLocal":"%Y-%m-%d[T]%H:%M:%S\\.%f\\d*[Z](%z)?",'`: `"StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",`
2023-04-28 15:21:30,006 fail2ban.filter         [1831210]: INFO      maxRetry: 5
2023-04-28 15:21:30,006 fail2ban.filter         [1831210]: INFO      findtime: 60
2023-04-28 15:21:30,006 fail2ban.actions        [1831210]: INFO      banTime: 600
2023-04-28 15:21:30,006 fail2ban.jail           [1831210]: INFO    Set banTime.increment = True
2023-04-28 15:21:30,006 fail2ban.jail           [1831210]: INFO    Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:30,006 fail2ban.jail           [1831210]: INFO    Set banTime.rndtime = 2048
2023-04-28 15:21:30,006 fail2ban.filter         [1831210]: INFO      encoding: UTF-8
2023-04-28 15:21:30,007 fail2ban.filter         [1831210]: INFO    Added logfile: '/opt/traefik/logs/access.log' (pos = 20143198, hash = c29bd2d433a5900e0dc59f30ce688fdcd73e1b7e)
2023-04-28 15:21:30,008 fail2ban.jail           [1831210]: INFO    Jail 'sshd' started
2023-04-28 15:21:30,009 fail2ban.jail           [1831210]: INFO    Jail 'wordpress-general' started
2023-04-28 15:21:30,010 fail2ban.jail           [1831210]: INFO    Jail 'wordpress-auth' started

48

0 + 0

fail2ban

ubuntu-20.04

fail2ban matches regular expressions but does not ban

Post an answer