Join Log in
Score:0
Sebastian avatar Server

fail2ban not banning but matches logs

ng flag
Sebastian

I try to create a brute force protection with fail2ban. With the fail2ban test, it matches the logs I wanna match but with my test brute forcing the site with 7+ failed logins, it does not ban my ip address.

filter:

[Definition]
failregex = <HOST>:.*"POST /login.*" 200 .*$
ignoreregex =

jail:

[shop-brute-force]
enabled  = true
filter   = shop-brute-force
logpath  = /etc/exampleorg/shop/log/access.log
maxretry = 7
findtime = 60
bantime  = 900
ignoreip =

log example (anonymized with ..., 88.88.88.88 and example.org):

2022/04/01 08:09:25.413720 88.88.88.88:10729 - - [01/Apr/2022:08:09:25 +0000] "POST /login?target=%2Fshop%2F HTTP/1.1" 200 2192 "https://example.org/login?target=%2Fshop%2F" "..."

test:

Running tests
=============

Use   failregex filter file : shop-brute-force, basedir: /etc/fail2ban
Use         log file : /home/user/test.log
Use         encoding : UTF-8


Results
=======

Failregex: 3 total
|-  #) [# of hits] regular expression
|   1) [3] <HOST>:.*"POST /login.*" 200 .*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [106] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-

Lines: 106 lines, 0 ignored, 3 matched, 103 missed
[processed in 0.02 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 103 lines
33
0 + 0
Score:0
sebres avatar Server
il flag
sebres

I try to create a brute force protection with fail2ban
failregex = ... 200 ...

This is not necessarily a brute force attempt, because 200 is a regular response, that means OK... Normally codes like 401 or 403 would signal unauthorized attempts, or if the service answering with 200, it would write an additional log-entry in some log-file or journal (not necessarily into the access.log). But also another things are very questionable here, let alone theoretically one is able to brute force using another methods as POST.

but with my test brute forcing the site with 7+ failed logins ...
Lines: 106 lines, 0 ignored, 3 matched, 103 missed

You did not provided the whole log excerpt corresponding to this 7 attempts. And fail2ban-regex find only 3 matches related to your failregex (which is not good at all, e. g. unanchored and has catch-all's, however never mind - the matches are not there). Probably it logs something other as a single log-line from your example, because your RE basically matches that. Thus please update your question with whole log-excerpt corresponding all 7 attempts you did.

And last but not least, much better RE could look like that:

failregex = ^\s*<ADDR>:\d+ [^"]*"[A-Z]+ /login\b[^"]*" 200\b

However I'm still unsure you'd really use that (due to 200th problematic et al I mentioned above).

If it was only test (with 3 log-lines) and you really see all 7 log-lines in the real log, you can check this FAQ for the possible reasons why fail2ban doesn't ban. For instance it may be incorrect backend (set it to auto for file-related monitoring) or unsuitable ban-action or some error on fail2ban side (check also the fail2ban.log).

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.