Differences

This shows you the differences between two versions of the page.

--- wiki:fail2ban_examples [2022/12/27 12:11] – [Troubleshooting] add timezone issue antisa
+++ wiki:fail2ban_examples [2024/03/06 13:02] (current) – add example of dry run antisa
@@ Line 13: / Line 13: @@
   logpath  = %(nginx_access_log)s
-This will create a ''bottest'' jail and will use a filter defined in ///etc/fail2ban/filter.d/bottest.local//. Example of regex matching nginx log:
+This will create a ''bottest'' jail and will use a filter defined in ///etc/fail2ban/filter.d/bottest.local//. Example of regex matching default nginx log:
-  [Definition]
+<code>
-  failregex = client=<HOST> .*
+[Definition]
+failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+$
+ignoreregex =
-  ignoreregex =
+datepattern = ^[^\[]*\[({DATE})
+</code>
-  datepattern = {^LN-BEG}
 **<HOST>** is mandatory and has to match the IP address. Adapt regex to your logging format and lines you need to match.
@@ Line 49: / Line 51: @@
 </WRAP>
+===== Testing =====
+==== regex ====
 Use ''fail2ban-regex'' to check if its matching the regex. Here is an example of match
@@ Line 68: / Line 73: @@
 Failregex: 42 total
 |-  #) [# of hits] regular expression
-|   1) [42] client=<HOST> .*
+|   1) [42] ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+$
 `-
@@ Line 85: / Line 90: @@
 <code>
-"08/Nov/2022:15:36:30 +0100" client=10.21.21.1 method=GET request="GET / HTTP/1.1" request_length=1414 status=304 bytes_sent=180 body_bytes_sent=0 referer=- user_agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 upstream_addr=- upstream_status=- request_time=0.000 upstream_response_time=- upstream_connect_time=- upstream_header_time=- upstream_cache_status=-
+.21.21.1 - - [27/Dec/2022:11:57:15 +0100] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0"
-"08/Nov/2022:15:37:35 +0100" client=10.21.21.1 method=GET request="GET / HTTP/1.1" request_length=1414 status=304 bytes_sent=180 body_bytes_sent=0 referer=- user_agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 upstream_addr=- upstream_status=- request_time=0.000 upstream_response_time=- upstream_connect_time=- upstream_header_time=- upstream_cache_status=-
+.21.21.1 - - [27/Dec/2022:11:57:15 +0100] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0"
 </code>
+==== dry run ====
+Use action ''dummy.conf'' from //action.d/// directory to see what would be banned. E.g.
+  [bottest]
+  enabled  = true
+  maxretry = 4
+  findtime = 60s
+  bantime  = 60s
+  action   = dummy
+  #action   = iptables[name=bloKKKED, port=http]
+  logpath  = %(nginx_access_log)s
+Then ''cat /var/run/fail2ban/fail2ban.dummy'' to see what IPs would be banned.
 ====== Troubleshooting ======
@@ Line 103: / Line 122: @@
 check your filter's //dateformat// line it could be incorrectly matching the log lines.
+===== Not banning after action change =====
+If you changed the action to be used in jail, for example from iptables to shorewall it might not work even after restart, workaround is to (re)move the sqlite database and restart e.g.
+  mv /var/lib/fail2ban/fail2ban.sqlite3 /tmp/ && systemctl restart fail2ban
 ====== Tested on ======
   * fail2ban 0.11.2