Join Log in
Score:0
leonp avatar Server

fail2ban doesn't react to multiple ip's in log file, while fail2ban-regex - does

us flag
leonp

Several days of fighting. My configuration is SME server 10 and fail2ban version 0.11.2. I run:

fail2ban-regex /var/log/httpd/access_log apache-get-dos.conf :

Running tests
Use failregex filter file : apache-get-dos, basedir: /etc/fail2ban
Use datepattern : {^LN-BEG} : Default Detectors
Use log file : /var/log/httpd/access_log
Use encoding : UTF-8

Results
Failregex: 373 total
|- #) [# of hits] regular expression
| 1) [373] .+"(?:GET|POST|HEAD|PUT|DELETE).+HTTP/\d.\d" (?:301|302|303|304|400|401|403|404|405|500) \d+ .+$
`-
Ignoreregex: 0 total
Date template hits:
Lines: 1269 lines, 0 ignored, 373 matched, 896 missed
[processed in 0.43 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 896 lines

From this I understand that there should be 373 matches in the fail2ban log file, but there are none. I am not sure about the date template - nothing in this line, is it ok? My date pattern seems to be correct and to work, as when there was an error, I saw warnings in the log file:

datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z

My jail configuration is:

[http-get-dos]
enabled  = true
port     = http,https
filter   = apache-get-dos
logpath  = /var/log/httpd/access_log
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z
action   = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Apache (DoS)",dest=my-mail-address]
maxretry = 5
findtime = 300
bantime  = 3600

and looking into access_log I see many of more than 5 "attacks" in a minute.

I perfectly know that this is my error, but what to do next? Where to look for the problem?

Many thanks ahead for any help.

P.S. I restarted once again fail2ban and saw the following in daemon.log:

WARNI [recidive] Simulate NOW in operation since found time has too large deviation None ~ 1665583370.38 +/- 60
 2022-10-12 17:02:50,380 7FD111FF3700
WARNI [recidive] Please check jail has possibly a timezone issue. Line with odd timestamp:  2022-10-12 17:02:50,266 7FD12FFFF700 NOTIC [qpsmtpd] Restore Ban 5.34.207.123

may it be that I still have some time/timezone problem? I checked the stamps everywhere - they all look correct...

235
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.