antisaWiki

User Tools

Site Tools

Trace:
wiki:fail2ban_examples

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
Next revisionBoth sides next revision
wiki:fail2ban_examples [2022/11/08 16:10] – created antisawiki:fail2ban_examples [2022/12/27 13:27] – [Port 80 ban] change config examples and log lines antisa
Line 13: Line 13:
   logpath  = %(nginx_access_log)s   logpath  = %(nginx_access_log)s
  
-This will create a ''bottest'' jail and will use a filter defined in ///etc/fail2ban/filter.d/bottest.local//. Example of regex matching nginx log:+This will create a ''bottest'' jail and will use a filter defined in ///etc/fail2ban/filter.d/bottest.local//. Example of regex matching default nginx log:
  
-  [Definition] +<code> 
-  failregex = client=<HOST> .*+[Definition] 
 +failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+$ 
 +  
 +ignoreregex = 
      
-  ignoreregex = +datepattern = ^[^\[]*\[({DATE}
-   +</code>
-  datepattern = {^LN-BEG}+
  
 **<HOST>** is mandatory and has to match the IP address. Adapt regex to your logging format and lines you need to match. **<HOST>** is mandatory and has to match the IP address. Adapt regex to your logging format and lines you need to match.
Line 27: Line 29:
 action is defined already in ///etc/fail2ban/action.d/iptables.conf//, and logpath is defined in ///etc/fail2ban/paths-common.conf// action is defined already in ///etc/fail2ban/action.d/iptables.conf//, and logpath is defined in ///etc/fail2ban/paths-common.conf//
 </WRAP> </WRAP>
 +
 +Restart fail2ban:
 +  systemctl restart fail2ban.service
  
 This will now ban http request for 60 seconds from any client if it tries to access the site on port 80 more than 4 times within 60s. It will create a new iptables chain named f2b-bloKKKED. Truncated ''iptables -nvL'' output: This will now ban http request for 60 seconds from any client if it tries to access the site on port 80 more than 4 times within 60s. It will create a new iptables chain named f2b-bloKKKED. Truncated ''iptables -nvL'' output:
Line 42: Line 47:
 </code> </code>
  
 +<WRAP center round important 60%>
 +If you are using shorewall the above chain will be deleted on shorewall restart. Consider using the shorewall action instead of iptables then.
 +</WRAP>
  
  
 +Use ''fail2ban-regex'' to check if its matching the regex. Here is an example of match
 +<code>
 +$ fail2ban-regex /var/log/nginx/access.log bottest.local 
 +
 +Running tests
 +=============
 +
 +Use   failregex filter file : bottest, basedir: /etc/fail2ban
 +Use      datepattern : {^LN-BEG} : Default Detectors
 +Use         log file : /var/log/nginx/access.log
 +Use         encoding : UTF-8
 +
 +
 +Results
 +=======
 +
 +Failregex: 42 total
 +|-  #) [# of hits] regular expression
 +|   1) [42] ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+$
 +`-
 +
 +Ignoreregex: 0 total
 +
 +Date template hits:
 +|- [# of hits] date format
 +|  [42] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
 +`-
 +
 +Lines: 42 lines, 0 ignored, 42 matched, 0 missed
 +[processed in 0.00 sec]
 +</code>
 +
 +nginx access.log
 +
 +<code>
 +10.21.21.1 - - [27/Dec/2022:11:57:15 +0100] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0"
 +10.21.21.1 - - [27/Dec/2022:11:57:15 +0100] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0"
 +</code>
 +
 +====== Troubleshooting ======
 +
 +
 +You can check the logfile of fail2ban in ///var/log/fail2ban.log//. To get a detailed log ouput restart the fail2ban with this command
 +
 +  fail2ban-client --loglevel DEBUG start
 +
 +then check the log file again.
 +===== Timezone issue =====
 +If you have a [[https://github.com/fail2ban/fail2ban/issues/2882|warning]] similar to
 +  2022-12-27 11:11:57,573 fail2ban.filter         [17192]: WARNING [bottest] Simulate NOW in operation since found time has too large deviation None ~ 1672135917.573329 +/- 60
 +  2022-12-27 11:11:57,573 fail2ban.filter         [17192]: WARNING [bottest] Please check jail has possibly a timezone issue. Line with odd timestamp: 10.21.21.1 - - [27/Dec/2022:11:11:57 +0100] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0"
 +
 +check your filter's //dateformat// line it could be incorrectly matching the log lines.
 ====== Tested on ====== ====== Tested on ======
   * fail2ban 0.11.2   * fail2ban 0.11.2
Line 49: Line 110:
  
 ====== See also ====== ====== See also ======
 +  * [[https://web.archive.org/web/20220524061101/https://sven.rojek.de/posts/fail2ban-iprange-mit-blackliste-blocken|fail2ban ip range block]]
 ====== References ====== ====== References ======
   * https://www.fail2ban.org/wiki/index.php/MANUAL_0_8   * https://www.fail2ban.org/wiki/index.php/MANUAL_0_8
 +  * man 5 jail.conf
 +  * [[http://rsabalburo.blogspot.com/2014/07/fail2ban-with-shorewall.html|fail2ban with shorewall]]
 +  * [[https://wiki.archlinux.org/title/fail2ban|arch wiki]]
  
wiki/fail2ban_examples.txt · Last modified: 2024/03/06 14:02 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki