Fail2ban doesn't ban anyone...

sblantipodi · Post by **sblantipodi** » 2011/07/24 15:48:01

Fail2ban doesn't ban anyone...

I folowed this guide to configure fail2ban with Squirrelmail. http://www.howtoforge.com/configuring-fail2ban-with-squirrelmail-on-centos-5.3-ispconfig-3

Squirrelmail correctly create output log but fail2ban doesn't ban anyone why?

I'm using fail2ban 0.8.4 with CentOS 6.

gerald_clark · Post by **gerald_clark** » 2011/07/25 14:04:33

You have been on here long enough to know not to double post.

pjwelsh · Post by **pjwelsh** » 2011/07/25 17:05:49

Post the portion of the log file that you are trying to reject, please. I do know that some people will play games with the forward reverse DNS entries to make them evaluate in a way that does not allow F2B to properly operate.

sblantipodi · Post by **sblantipodi** » 2011/07/25 17:15:31

this is the reg expr
[code]failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect[/code]

tha should catch lines like this:
[code]07/24/2011 13:08:33 [LOGIN_ERROR] N/A (domainname.org) from xxx.xxx.xxx.xxx: Unknown user or password incorrect.[/code]
where xxx.xxx.xxx.xxx is an ip address

whit this command:
[code]fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf[/code]

I can see that regexp isn't correct to catch those lines.

What could be a correct regexp?

sblantipodi · Post by **sblantipodi** » 2011/07/25 18:36:40

this is the output of fail2banregexp with the regexpr that should match

fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file : /var/lib/squirrelmail/prefs/squirrelmail_access_log

Traceback (most recent call last):
File "/usr/bin/fail2ban-regex", line 372, in
fail2banRegex.testRegex(line)
File "/usr/bin/fail2ban-regex", line 225, in testRegex
ret = self.__filter.processLine(line)
File "/usr/share/fail2ban/server/filter.py", line 265, in processLine
return self.findFailure(timeLine, logLine)
File "/usr/share/fail2ban/server/filter.py", line 311, in findFailure
date = self.dateDetector.getUnixTime(timeLine)
File "/usr/share/fail2ban/server/datedetector.py", line 161, in getUnixTime
date = self.getTime(line)
File "/usr/share/fail2ban/server/datedetector.py", line 150, in getTime
date = template.getDate(line)
File "/usr/share/fail2ban/server/datetemplate.py", line 140, in getDate
date = list(time.strptime(conv, pattern))
File "/usr/lib64/python2.6/_strptime.py", line 454, in _strptime_time
return _strptime(data_string, format)[0]
File "/usr/lib64/python2.6/_strptime.py", line 308, in _strptime
format_regex = _TimeRE_cache.compile(format)
File "/usr/lib64/python2.6/_strptime.py", line 265, in compile
return re_compile(self.pattern(format), IGNORECASE)
File "/usr/lib64/python2.6/re.py", line 190, in compile
return _compile(pattern, flags)
File "/usr/lib64/python2.6/re.py", line 245, in _compile
raise error, v # invalid expression
sre_constants.error: redefinition of group name 'Y' as group 7; was group 3

ghost4777 · Post by **ghost4777** » 2011/08/05 18:13:59

May be things are not so complicated.
My case is quite close to yours, when I installed the fail2ban rpm file.
The package 'python' is missing in my first installation.
My solution is reinstall the fail2ban package by yum.
Then it works.
Here is the solution:
Add
>>vim /etc/yum.repos.d/CentOS-Base.repo

add these setting at the end
[atrpms]
name=Red Hat Enterprise Linux $releasever - $basearch - ATrpms
baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable
gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
gpgcheck=1
enabled=1

>> yum install fail2ban

other settings are the same in the tutorial. FYI.

CentOS