Score:0

fail2ban matches regular expressions but does not ban

et flag

I'm trying to set up fail2ban to monitor our traefik access logs but I'm not getting fail2ban to actually ban anything even though fail2ban-regex shows a lot of matches.

I've also specified loglevel = HEAVYDEBUG for fail2ban but it's not logging anything special to my logtarget (/var/log/fail2ban.log)

I've checked that pyinotify is installed. I also tried switching for a polling backend but the results are all the same.

fail2ban version: 0.11.1-1
Ubuntu version: Ubuntu 20.04.6 LTS

This is the output I'm getting from fail2ban-regex:

Use   failregex filter file : wordpress-general-forceful-browsing, basedir: /etc/fail2ban
Use      datepattern : "StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",
Use         log file : /opt/traefik/logs/access.log
Use         encoding : UTF-8


Results
=======

Failregex: 488 total
|-  #) [# of hits] regular expression
|   1) [488] ^{"ClientAddr":"<F-CLIENTADDR>.*</F-CLIENTADDR>","ClientHost":"<HOST>","ClientPort":"<F-CLIENTPORT>.*</F-CLIENTPORT>","ClientUsername":"<F-CLIENTUSERNAME>.*</F-CLIENTUSERNAME>","DownstreamContentSize":<F-DOWNSTREAMCONTENTSIZE>.*</F-DOWNSTREAMCONTENTSIZE>,"DownstreamStatus":<F-DOWNSTREAMSTATUS>.*</F-DOWNSTREAMSTATUS>,"Duration":<F-DURATION>.*</F-DURATION>,"OriginContentSize":<F-ORIGINCONTENTSIZE>.*</F-ORIGINCONTENTSIZE>,"OriginDuration":<F-ORIGINDURATION>.*</F-ORIGINDURATION>,"OriginStatus":(405|404|403|402|401),"Overhead":<F-OVERHEAD>.*</F-OVERHEAD>,"RequestAddr":"<F-REQUESTADDR>.*</F-REQUESTADDR>","RequestContentSize":<F-REQUESTCONTENTSIZE>.*</F-REQUESTCONTENTSIZE>,"RequestCount":<F-REQUESTCOUNT>.*</F-REQUESTCOUNT>,"RequestHost":"<F-CONTAINER>.*</F-CONTAINER>","RequestMethod":"<F-REQUESTMETHOD>.*</F-REQUESTMETHOD>","RequestPath":"<F-REQUESTPATH>.*</F-REQUESTPATH>","RequestPort":"<F-REQUESTPORT>.*</F-REQUESTPORT>","RequestProtocol":"<F-REQUESTPROTOCOL>.*</F-REQUESTPROTOCOL>","RequestScheme":"<F-REQUESTSCHEME>.*</F-REQUESTSCHEME>","RetryAttempts":<F-RETRYATTEMPTS>.*</F-RETRYATTEMPTS>,.*"StartLocal":"<F-STARTLOCAL>.*</F-STARTLOCAL>","StartUTC":"<F-STARTUTC>.*</F-STARTUTC>","TLSCipher":"<F-TLSCIPHER>.*</F-TLSCIPHER>","TLSVersion":"<F-TLSVERSION>.*</F-TLSVERSION>","entryPointName":"<F-ENTRYPOINTNAME>.*</F-ENTRYPOINTNAME>","level":"<F-LEVEL>.*</F-LEVEL>","msg":"<F-MSG>.*</F-MSG>",("request_User-Agent":"<F-USERAGENT>.*</F-USERAGENT>",){0,1}?"time":"<F-TIME>.*</F-TIME>"}$
`-

Ignoreregex: 128 total
|-  #) [# of hits] regular expression
|   1) [128] ^{"ClientAddr":"<F-CLIENTADDR>.*</F-CLIENTADDR>","ClientHost":"<HOST>","ClientPort":"<F-CLIENTPORT>.*</F-CLIENTPORT>","ClientUsername":"<F-CLIENTUSERNAME>.*</F-CLIENTUSERNAME>","DownstreamContentSize":<F-DOWNSTREAMCONTENTSIZE>.*</F-DOWNSTREAMCONTENTSIZE>,"DownstreamStatus":<F-DOWNSTREAMSTATUS>.*</F-DOWNSTREAMSTATUS>,"Duration":<F-DURATION>.*</F-DURATION>,"OriginContentSize":<F-ORIGINCONTENTSIZE>.*</F-ORIGINCONTENTSIZE>,"OriginDuration":<F-ORIGINDURATION>.*</F-ORIGINDURATION>,"OriginStatus":(405|404|403|402|401),"Overhead":<F-OVERHEAD>.*</F-OVERHEAD>,"RequestAddr":"<F-REQUESTADDR>.*</F-REQUESTADDR>","RequestContentSize":<F-REQUESTCONTENTSIZE>.*</F-REQUESTCONTENTSIZE>,"RequestCount":<F-REQUESTCOUNT>.*</F-REQUESTCOUNT>,"RequestHost":"<F-REQUESTHOST>.*</F-REQUESTHOST>","RequestMethod":"<F-REQUESTMETHOD>.*</F-REQUESTMETHOD>","RequestPath":"<F-REQUESTPATH>.*(\.png|\.webp|\.jpe?g|\.gif|\.mp3|\.mov|\.mp4|\.json|\.map|\.ico|\.js|\.css|\.ttf|\.woff|\.woff2)(/)*?</F-REQUESTPATH>","RequestPort":"<F-REQUESTPORT>.*</F-REQUESTPORT>","RequestProtocol":"<F-REQUESTPROTOCOL>.*</F-REQUESTPROTOCOL>","RequestScheme":"<F-REQUESTSCHEME>.*</F-REQUESTSCHEME>","RetryAttempts":<F-RETRYATTEMPTS>.*</F-RETRYATTEMPTS>,.*"StartLocal":"<F-STARTLOCAL>.*</F-STARTLOCAL>","StartUTC":"<F-STARTUTC>.*</F-STARTUTC>","TLSCipher":"<F-TLSCIPHER>.*</F-TLSCIPHER>","TLSVersion":"<F-TLSVERSION>.*</F-TLSVERSION>","entryPointName":"<F-ENTRYPOINTNAME>.*</F-ENTRYPOINTNAME>","level":"<F-LEVEL>.*</F-LEVEL>","msg":"<F-MSG>.*</F-MSG>",("request_User-Agent":"<F-USERAGENT>.*</F-USERAGENT>",){0,1}?"time":"<F-TIME>.*</F-TIME>"}$
`-

Date template hits:
|- [# of hits] date format
|  [24435] "StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",
`-

Lines: 24435 lines, 128 ignored, 488 matched, 23819 missed
[processed in 19.73 sec]

This is my output from fail2ban-client status

Status
|- Number of jail:  3
`- Jail list:   sshd, wordpress-auth, wordpress-general

And this is my output from /var/log/fail2ban.log

2023-04-28 15:21:29,943 fail2ban.server         [1831210]: INFO    Starting Fail2ban v0.11.1
2023-04-28 15:21:29,943 fail2ban.server         [1831210]: INFO    Daemon started
2023-04-28 15:21:29,943 fail2ban.observer       [1831210]: INFO    Observer start...
2023-04-28 15:21:29,951 fail2ban.database       [1831210]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-04-28 15:21:29,952 fail2ban.jail           [1831210]: INFO    Creating new jail 'sshd'
2023-04-28 15:21:29,962 fail2ban.jail           [1831210]: INFO    Jail 'sshd' uses pyinotify {}
2023-04-28 15:21:29,965 fail2ban.jail           [1831210]: INFO    Initiated 'pyinotify' backend
2023-04-28 15:21:29,967 fail2ban.filter         [1831210]: INFO      maxLines: 1
2023-04-28 15:21:29,986 fail2ban.filter         [1831210]: INFO      maxRetry: 5
2023-04-28 15:21:29,986 fail2ban.filter         [1831210]: INFO      findtime: 600
2023-04-28 15:21:29,986 fail2ban.actions        [1831210]: INFO      banTime: 600
2023-04-28 15:21:29,986 fail2ban.jail           [1831210]: INFO    Set banTime.increment = True
2023-04-28 15:21:29,986 fail2ban.jail           [1831210]: INFO    Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:29,986 fail2ban.jail           [1831210]: INFO    Set banTime.rndtime = 2048
2023-04-28 15:21:29,987 fail2ban.filter         [1831210]: INFO      encoding: UTF-8
2023-04-28 15:21:29,987 fail2ban.filter         [1831210]: INFO    Added logfile: '/var/log/auth.log' (pos = 461226, hash = bdb63f55b88b6f0ed320e1dc41b35bdf05ceb27e)
2023-04-28 15:21:29,988 fail2ban.jail           [1831210]: INFO    Creating new jail 'wordpress-general'
2023-04-28 15:21:29,988 fail2ban.jail           [1831210]: INFO    Jail 'wordpress-general' uses pyinotify {}
2023-04-28 15:21:29,991 fail2ban.jail           [1831210]: INFO    Initiated 'pyinotify' backend
2023-04-28 15:21:29,997 fail2ban.datedetector   [1831210]: INFO      date pattern `'"StartLocal":"%Y-%m-%d[T]%H:%M:%S\\.%f\\d*[Z](%z)?",'`: `"StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",`
2023-04-28 15:21:29,997 fail2ban.filter         [1831210]: INFO      maxRetry: 5
2023-04-28 15:21:29,997 fail2ban.filter         [1831210]: INFO      findtime: 60
2023-04-28 15:21:29,998 fail2ban.actions        [1831210]: INFO      banTime: 600
2023-04-28 15:21:29,998 fail2ban.jail           [1831210]: INFO    Set banTime.increment = True
2023-04-28 15:21:29,998 fail2ban.jail           [1831210]: INFO    Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:29,998 fail2ban.jail           [1831210]: INFO    Set banTime.rndtime = 2048
2023-04-28 15:21:29,998 fail2ban.filter         [1831210]: INFO      encoding: UTF-8
2023-04-28 15:21:29,998 fail2ban.filter         [1831210]: INFO    Added logfile: '/opt/traefik/logs/access.log' (pos = 20143198, hash = c29bd2d433a5900e0dc59f30ce688fdcd73e1b7e)
2023-04-28 15:21:29,999 fail2ban.jail           [1831210]: INFO    Creating new jail 'wordpress-auth'
2023-04-28 15:21:29,999 fail2ban.jail           [1831210]: INFO    Jail 'wordpress-auth' uses pyinotify {}
2023-04-28 15:21:30,002 fail2ban.jail           [1831210]: INFO    Initiated 'pyinotify' backend
2023-04-28 15:21:30,006 fail2ban.datedetector   [1831210]: INFO      date pattern `'"StartLocal":"%Y-%m-%d[T]%H:%M:%S\\.%f\\d*[Z](%z)?",'`: `"StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",`
2023-04-28 15:21:30,006 fail2ban.filter         [1831210]: INFO      maxRetry: 5
2023-04-28 15:21:30,006 fail2ban.filter         [1831210]: INFO      findtime: 60
2023-04-28 15:21:30,006 fail2ban.actions        [1831210]: INFO      banTime: 600
2023-04-28 15:21:30,006 fail2ban.jail           [1831210]: INFO    Set banTime.increment = True
2023-04-28 15:21:30,006 fail2ban.jail           [1831210]: INFO    Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:30,006 fail2ban.jail           [1831210]: INFO    Set banTime.rndtime = 2048
2023-04-28 15:21:30,006 fail2ban.filter         [1831210]: INFO      encoding: UTF-8
2023-04-28 15:21:30,007 fail2ban.filter         [1831210]: INFO    Added logfile: '/opt/traefik/logs/access.log' (pos = 20143198, hash = c29bd2d433a5900e0dc59f30ce688fdcd73e1b7e)
2023-04-28 15:21:30,008 fail2ban.jail           [1831210]: INFO    Jail 'sshd' started
2023-04-28 15:21:30,009 fail2ban.jail           [1831210]: INFO    Jail 'wordpress-general' started
2023-04-28 15:21:30,010 fail2ban.jail           [1831210]: INFO    Jail 'wordpress-auth' started
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.