antisaWiki

User Tools

Site Tools

Trace:
wiki:fail2ban_examples

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
wiki:fail2ban_examples [2022/12/27 13:11] – [Troubleshooting] add timezone issue antisawiki:fail2ban_examples [2022/12/29 10:11] – add Not banning after action change antisa
Line 13: Line 13:
   logpath  = %(nginx_access_log)s   logpath  = %(nginx_access_log)s
  
-This will create a ''bottest'' jail and will use a filter defined in ///etc/fail2ban/filter.d/bottest.local//. Example of regex matching nginx log:+This will create a ''bottest'' jail and will use a filter defined in ///etc/fail2ban/filter.d/bottest.local//. Example of regex matching default nginx log:
  
-  [Definition] +<code> 
-  failregex = client=<HOST> .*+[Definition] 
 +failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+$ 
 +  
 +ignoreregex = 
      
-  ignoreregex = +datepattern = ^[^\[]*\[({DATE}
-   +</code>
-  datepattern = {^LN-BEG}+
  
 **<HOST>** is mandatory and has to match the IP address. Adapt regex to your logging format and lines you need to match. **<HOST>** is mandatory and has to match the IP address. Adapt regex to your logging format and lines you need to match.
Line 68: Line 70:
 Failregex: 42 total Failregex: 42 total
 |-  #) [# of hits] regular expression |-  #) [# of hits] regular expression
-|   1) [42] client=<HOST> .*+|   1) [42] ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+$
 `- `-
  
Line 85: Line 87:
  
 <code> <code>
-"08/Nov/2022:15:36:30 +0100" client=10.21.21.1 method=GET request="GET / HTTP/1.1" request_length=1414 status=304 bytes_sent=180 body_bytes_sent=referer=user_agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 upstream_addr=- upstream_status=- request_time=0.000 upstream_response_time=upstream_connect_time=upstream_header_time=- upstream_cache_status=-  +10.21.21.1 - - [27/Dec/2022:11:57:15 +0100"GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
-"08/Nov/2022:15:37:35 +0100" client=10.21.21.1 method=GET request="GET / HTTP/1.1" request_length=1414 status=304 bytes_sent=180 body_bytes_sent=referer=user_agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 upstream_addr=- upstream_status=- request_time=0.000 upstream_response_time=- upstream_connect_time=- upstream_header_time=- upstream_cache_status=-+10.21.21.1 - - [27/Dec/2022:11:57:15 +0100"GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0"
 </code> </code>
  
Line 103: Line 105:
  
 check your filter's //dateformat// line it could be incorrectly matching the log lines. check your filter's //dateformat// line it could be incorrectly matching the log lines.
 +
 +===== Not banning after action change =====
 +If you changed the action to be used in jail, for example from iptables to shorewall it might not work even after restart, workaround is to (re)move the sqlite database and restart e.g.
 +
 +  mv /var/lib/fail2ban/fail2ban.sqlite3 /tmp/ && systemctl restart fail2ban
 ====== Tested on ====== ====== Tested on ======
   * fail2ban 0.11.2   * fail2ban 0.11.2
wiki/fail2ban_examples.txt · Last modified: 2024/03/06 14:02 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki