Fail2ban doesn't ban anyone...
I folowed this guide to configure fail2ban with Squirrelmail. http://www.howtoforge.com/configuring-fail2ban-with-squirrelmail-on-centos-5.3-ispconfig-3
Squirrelmail correctly create output log but fail2ban doesn't ban anyone why?
I'm using fail2ban 0.8.4 with CentOS 6.
Fail2ban doesn't ban anyone...
-
- Posts: 252
- Joined: 2009/07/10 09:43:13
- Contact:
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Fail2ban doesn't ban anyone...
You have been on here long enough to know not to double post.
Re: Fail2ban doesn't ban anyone...
Post the portion of the log file that you are trying to reject, please. I do know that some people will play games with the forward reverse DNS entries to make them evaluate in a way that does not allow F2B to properly operate.
-
- Posts: 252
- Joined: 2009/07/10 09:43:13
- Contact:
Re: Fail2ban doesn't ban anyone...
this is the reg expr
[code]failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect[/code]
tha should catch lines like this:
[code]07/24/2011 13:08:33 [LOGIN_ERROR] N/A (domainname.org) from xxx.xxx.xxx.xxx: Unknown user or password incorrect.[/code]
where xxx.xxx.xxx.xxx is an ip address
whit this command:
[code]fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf[/code]
I can see that regexp isn't correct to catch those lines.
What could be a correct regexp?
[code]failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect[/code]
tha should catch lines like this:
[code]07/24/2011 13:08:33 [LOGIN_ERROR] N/A (domainname.org) from xxx.xxx.xxx.xxx: Unknown user or password incorrect.[/code]
where xxx.xxx.xxx.xxx is an ip address
whit this command:
[code]fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf[/code]
I can see that regexp isn't correct to catch those lines.
What could be a correct regexp?
-
- Posts: 252
- Joined: 2009/07/10 09:43:13
- Contact:
Re: Fail2ban doesn't ban anyone...
this is the output of fail2banregexp with the regexpr that should match
fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file : /var/lib/squirrelmail/prefs/squirrelmail_access_log
Traceback (most recent call last):
File "/usr/bin/fail2ban-regex", line 372, in
fail2banRegex.testRegex(line)
File "/usr/bin/fail2ban-regex", line 225, in testRegex
ret = self.__filter.processLine(line)
File "/usr/share/fail2ban/server/filter.py", line 265, in processLine
return self.findFailure(timeLine, logLine)
File "/usr/share/fail2ban/server/filter.py", line 311, in findFailure
date = self.dateDetector.getUnixTime(timeLine)
File "/usr/share/fail2ban/server/datedetector.py", line 161, in getUnixTime
date = self.getTime(line)
File "/usr/share/fail2ban/server/datedetector.py", line 150, in getTime
date = template.getDate(line)
File "/usr/share/fail2ban/server/datetemplate.py", line 140, in getDate
date = list(time.strptime(conv, pattern))
File "/usr/lib64/python2.6/_strptime.py", line 454, in _strptime_time
return _strptime(data_string, format)[0]
File "/usr/lib64/python2.6/_strptime.py", line 308, in _strptime
format_regex = _TimeRE_cache.compile(format)
File "/usr/lib64/python2.6/_strptime.py", line 265, in compile
return re_compile(self.pattern(format), IGNORECASE)
File "/usr/lib64/python2.6/re.py", line 190, in compile
return _compile(pattern, flags)
File "/usr/lib64/python2.6/re.py", line 245, in _compile
raise error, v # invalid expression
sre_constants.error: redefinition of group name 'Y' as group 7; was group 3
fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file : /var/lib/squirrelmail/prefs/squirrelmail_access_log
Traceback (most recent call last):
File "/usr/bin/fail2ban-regex", line 372, in
fail2banRegex.testRegex(line)
File "/usr/bin/fail2ban-regex", line 225, in testRegex
ret = self.__filter.processLine(line)
File "/usr/share/fail2ban/server/filter.py", line 265, in processLine
return self.findFailure(timeLine, logLine)
File "/usr/share/fail2ban/server/filter.py", line 311, in findFailure
date = self.dateDetector.getUnixTime(timeLine)
File "/usr/share/fail2ban/server/datedetector.py", line 161, in getUnixTime
date = self.getTime(line)
File "/usr/share/fail2ban/server/datedetector.py", line 150, in getTime
date = template.getDate(line)
File "/usr/share/fail2ban/server/datetemplate.py", line 140, in getDate
date = list(time.strptime(conv, pattern))
File "/usr/lib64/python2.6/_strptime.py", line 454, in _strptime_time
return _strptime(data_string, format)[0]
File "/usr/lib64/python2.6/_strptime.py", line 308, in _strptime
format_regex = _TimeRE_cache.compile(format)
File "/usr/lib64/python2.6/_strptime.py", line 265, in compile
return re_compile(self.pattern(format), IGNORECASE)
File "/usr/lib64/python2.6/re.py", line 190, in compile
return _compile(pattern, flags)
File "/usr/lib64/python2.6/re.py", line 245, in _compile
raise error, v # invalid expression
sre_constants.error: redefinition of group name 'Y' as group 7; was group 3
Re: Fail2ban doesn't ban anyone...
May be things are not so complicated.
My case is quite close to yours, when I installed the fail2ban rpm file.
The package 'python' is missing in my first installation.
My solution is reinstall the fail2ban package by yum.
Then it works.
Here is the solution:
Add
>>vim /etc/yum.repos.d/CentOS-Base.repo
add these setting at the end
[atrpms]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms
baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable
gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
gpgcheck=1
enabled=1
>> yum install fail2ban
other settings are the same in the tutorial. FYI.
My case is quite close to yours, when I installed the fail2ban rpm file.
The package 'python' is missing in my first installation.
My solution is reinstall the fail2ban package by yum.
Then it works.
Here is the solution:
Add
>>vim /etc/yum.repos.d/CentOS-Base.repo
add these setting at the end
[atrpms]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms
baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable
gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
gpgcheck=1
enabled=1
>> yum install fail2ban
other settings are the same in the tutorial. FYI.