Score:1

Fail2ban regex working but not banning. DNS warning instead

in flag

I had the following problem (already solved) with fail2ban and misplaced it on stack overflow so I'm putting it here now.

So, I've been reading issues for some days and don't seem to find a solution anywhere. I'm making some tests on a web server lab, I have set up two VMs (Ubuntu 20.04) server and client. On the server I have a PHP login app configured to give me this log whenever someone fails to log in.

root@local:/var/log/apache2# tail -f error.log
[Fri Jun 18 10:13:37.657446 2021] [php7:notice] [pid 2465] [client 192.168.1.11:44750] [error] failed login, referer: http://192.168.1.10/index.php
[Fri Jun 18 10:13:41.434454 2021] [php7:notice] [pid 2465] [client 192.168.1.11:44750] [error] failed login, referer: http://192.168.1.10/index.php
[Fri Jun 18 10:13:46.236750 2021] [php7:notice] [pid 2465] [client 192.168.1.11:44750] [error] failed login, referer: http://192.168.1.10/index.php

And Fail2Ban v0.10.2 configured to catch it. /etc/fail2ban/jail.local:

[login-ban]
enabled   = true
port      = http,https
filter    = login-ban
logpath  = /var/log/apache2/error.log
maxretry = 3
findtime  = 180
bantime = 60

/etc/fail2ban/filter.d/login-ban.conf:

[Definition]
failregex =  ^\[.*\]\s\[.*]\s\[.*].*\[client.*<HOST>\].*\[error\].*
ignoreregex =

Now, the regex works perfectly, if I check with fail2ban-regex:

fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/login-ban.conf --print-all-matched

I get

|- Matched line(s):
|  [Fri Jun 18 10:36:07.312503 2021] [php7:notice] [pid 780] [client 192.168.1.11:44754] [error] failed login, referer: http://192.168.1.10/index.php
|  [Fri Jun 18 10:36:14.417955 2021] [php7:notice] [pid 784] [client 192.168.1.11:44756] [error] failed login, referer: http://192.168.1.10/index.php

But fail2ban is not banning the IP and the fail2ban.log is throwing me a DNS warning:

2021-06-18 10:50:22,083 fail2ban.ipdns          [2154]: WARNING Determined IP using DNS Lookup: 8 = {'0.0.0.8'}
2021-06-18 10:50:22,085 fail2ban.filter         [2154]: INFO    [login-ban] Found 0.0.0.8 - 2021-06-18 10:50:22

I've tried setting the usedns parameter to 'no' and to 'raw' the only thing that accomplished was getting rid of the dns warning log, still no banning and not recording the host that was trying to login.

I hope this is enough info, and that this will help someone out there as much as me.

Score:2
in flag

SOLUTION

User @sebres answered me:

just stop to use catch-alls (.* etc), e. g. one correction to make it work could be

- ... \[client.*<HOST>\] ...
+ ... \[client <HOST>:\d+\] ...

RE .* is greedy, so it matches as many chars as possible, and <HOST> can match anything (hostname), not the address only, and better use <ADDR> instead, if your fail2ban version >= 0.10.

And your whole expression is "vulnerable" due to several catch-alls (so the anchor does not really taken).

*** So I made the change he suggested, it ended up like this:

^\[.*\[client <ADDR>:\d+\].*\[error\].*

now everything is working as it should. Hope it helps!

djdomi avatar
za flag
please remind to accept your answer.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.