wiki:fail2ban_examples
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
wiki:fail2ban_examples [2022/11/08 16:10] – created antisa | wiki:fail2ban_examples [2022/12/27 13:27] – [Port 80 ban] change config examples and log lines antisa | ||
---|---|---|---|
Line 13: | Line 13: | ||
logpath | logpath | ||
- | This will create a '' | + | This will create a '' |
- | | + | < |
- | failregex = client=< | + | [Definition] |
+ | failregex = ^< | ||
+ | |||
+ | ignoreregex = | ||
| | ||
- | ignoreregex = | + | datepattern = ^[^\[]*\[({DATE}) |
- | + | </ | |
- | | + | |
**< | **< | ||
Line 27: | Line 29: | ||
action is defined already in /// | action is defined already in /// | ||
</ | </ | ||
+ | |||
+ | Restart fail2ban: | ||
+ | systemctl restart fail2ban.service | ||
This will now ban http request for 60 seconds from any client if it tries to access the site on port 80 more than 4 times within 60s. It will create a new iptables chain named f2b-bloKKKED. Truncated '' | This will now ban http request for 60 seconds from any client if it tries to access the site on port 80 more than 4 times within 60s. It will create a new iptables chain named f2b-bloKKKED. Truncated '' | ||
Line 42: | Line 47: | ||
</ | </ | ||
+ | <WRAP center round important 60%> | ||
+ | If you are using shorewall the above chain will be deleted on shorewall restart. Consider using the shorewall action instead of iptables then. | ||
+ | </ | ||
+ | Use '' | ||
+ | < | ||
+ | $ fail2ban-regex / | ||
+ | |||
+ | Running tests | ||
+ | ============= | ||
+ | |||
+ | Use | ||
+ | Use datepattern : {^LN-BEG} : Default Detectors | ||
+ | Use log file : / | ||
+ | Use | ||
+ | |||
+ | |||
+ | Results | ||
+ | ======= | ||
+ | |||
+ | Failregex: 42 total | ||
+ | |- #) [# of hits] regular expression | ||
+ | | 1) [42] ^< | ||
+ | `- | ||
+ | |||
+ | Ignoreregex: | ||
+ | |||
+ | Date template hits: | ||
+ | |- [# of hits] date format | ||
+ | | [42] {^LN-BEG}Day(? | ||
+ | `- | ||
+ | |||
+ | Lines: 42 lines, 0 ignored, 42 matched, 0 missed | ||
+ | [processed in 0.00 sec] | ||
+ | </ | ||
+ | |||
+ | nginx access.log | ||
+ | |||
+ | < | ||
+ | 10.21.21.1 - - [27/ | ||
+ | 10.21.21.1 - - [27/ | ||
+ | </ | ||
+ | |||
+ | ====== Troubleshooting ====== | ||
+ | |||
+ | |||
+ | You can check the logfile of fail2ban in /// | ||
+ | |||
+ | fail2ban-client --loglevel DEBUG start | ||
+ | |||
+ | then check the log file again. | ||
+ | ===== Timezone issue ===== | ||
+ | If you have a [[https:// | ||
+ | 2022-12-27 11: | ||
+ | 2022-12-27 11: | ||
+ | |||
+ | check your filter' | ||
====== Tested on ====== | ====== Tested on ====== | ||
* fail2ban 0.11.2 | * fail2ban 0.11.2 | ||
Line 49: | Line 110: | ||
====== See also ====== | ====== See also ====== | ||
+ | * [[https:// | ||
====== References ====== | ====== References ====== | ||
* https:// | * https:// | ||
+ | * man 5 jail.conf | ||
+ | * [[http:// | ||
+ | * [[https:// | ||
wiki/fail2ban_examples.txt · Last modified: 2024/03/06 14:02 by antisa