antisaWiki

User Tools

Site Tools

Trace:
wiki:fail2ban_examples

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:fail2ban_examples [2022/12/22 11:33] – add more references antisawiki:fail2ban_examples [2024/03/06 14:02] (current) – add example of dry run antisa
Line 13: Line 13:
   logpath  = %(nginx_access_log)s   logpath  = %(nginx_access_log)s
  
-This will create a ''bottest'' jail and will use a filter defined in ///etc/fail2ban/filter.d/bottest.local//. Example of regex matching nginx log:+This will create a ''bottest'' jail and will use a filter defined in ///etc/fail2ban/filter.d/bottest.local//. Example of regex matching default nginx log:
  
-  [Definition] +<code> 
-  failregex = client=<HOST> .*+[Definition] 
 +failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+$ 
 +  
 +ignoreregex = 
      
-  ignoreregex = +datepattern = ^[^\[]*\[({DATE}
-   +</code>
-  datepattern = {^LN-BEG}+
  
 **<HOST>** is mandatory and has to match the IP address. Adapt regex to your logging format and lines you need to match. **<HOST>** is mandatory and has to match the IP address. Adapt regex to your logging format and lines you need to match.
Line 27: Line 29:
 action is defined already in ///etc/fail2ban/action.d/iptables.conf//, and logpath is defined in ///etc/fail2ban/paths-common.conf// action is defined already in ///etc/fail2ban/action.d/iptables.conf//, and logpath is defined in ///etc/fail2ban/paths-common.conf//
 </WRAP> </WRAP>
 +
 +Restart fail2ban:
 +  systemctl restart fail2ban.service
  
 This will now ban http request for 60 seconds from any client if it tries to access the site on port 80 more than 4 times within 60s. It will create a new iptables chain named f2b-bloKKKED. Truncated ''iptables -nvL'' output: This will now ban http request for 60 seconds from any client if it tries to access the site on port 80 more than 4 times within 60s. It will create a new iptables chain named f2b-bloKKKED. Truncated ''iptables -nvL'' output:
Line 46: Line 51:
 </WRAP> </WRAP>
  
 +===== Testing =====
 +
 +==== regex ====
  
 Use ''fail2ban-regex'' to check if its matching the regex. Here is an example of match Use ''fail2ban-regex'' to check if its matching the regex. Here is an example of match
Line 65: Line 73:
 Failregex: 42 total Failregex: 42 total
 |-  #) [# of hits] regular expression |-  #) [# of hits] regular expression
-|   1) [42] client=<HOST> .*+|   1) [42] ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+$
 `- `-
  
Line 82: Line 90:
  
 <code> <code>
-"08/Nov/2022:15:36:30 +0100" client=10.21.21.1 method=GET request="GET / HTTP/1.1" request_length=1414 status=304 bytes_sent=180 body_bytes_sent=referer=user_agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 upstream_addr=- upstream_status=- request_time=0.000 upstream_response_time=upstream_connect_time=upstream_header_time=- upstream_cache_status=-  +10.21.21.1 - - [27/Dec/2022:11:57:15 +0100"GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
-"08/Nov/2022:15:37:35 +0100" client=10.21.21.1 method=GET request="GET / HTTP/1.1" request_length=1414 status=304 bytes_sent=180 body_bytes_sent=referer=user_agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 upstream_addr=- upstream_status=- request_time=0.000 upstream_response_time=- upstream_connect_time=- upstream_header_time=- upstream_cache_status=-+10.21.21.1 - - [27/Dec/2022:11:57:15 +0100"GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0"
 </code> </code>
 +
 +==== dry run ====
 +Use action ''dummy.conf'' from //action.d/// directory to see what would be banned. E.g. 
 +
 +  [bottest]
 +  enabled  = true
 +  maxretry = 4
 +  findtime = 60s
 +  bantime  = 60s
 +  action   = dummy
 +  #action   = iptables[name=bloKKKED, port=http]
 +  logpath  = %(nginx_access_log)s
 +  
 +Then ''cat /var/run/fail2ban/fail2ban.dummy'' to see what IPs would be banned.
  
 ====== Troubleshooting ====== ====== Troubleshooting ======
Line 94: Line 116:
  
 then check the log file again. then check the log file again.
 +===== Timezone issue =====
 +If you have a [[https://github.com/fail2ban/fail2ban/issues/2882|warning]] similar to
 +  2022-12-27 11:11:57,573 fail2ban.filter         [17192]: WARNING [bottest] Simulate NOW in operation since found time has too large deviation None ~ 1672135917.573329 +/- 60
 +  2022-12-27 11:11:57,573 fail2ban.filter         [17192]: WARNING [bottest] Please check jail has possibly a timezone issue. Line with odd timestamp: 10.21.21.1 - - [27/Dec/2022:11:11:57 +0100] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0"
 +
 +check your filter's //dateformat// line it could be incorrectly matching the log lines.
 +
 +===== Not banning after action change =====
 +If you changed the action to be used in jail, for example from iptables to shorewall it might not work even after restart, workaround is to (re)move the sqlite database and restart e.g.
  
 +  mv /var/lib/fail2ban/fail2ban.sqlite3 /tmp/ && systemctl restart fail2ban
 ====== Tested on ====== ====== Tested on ======
   * fail2ban 0.11.2   * fail2ban 0.11.2
wiki/fail2ban_examples.1671705236.txt.gz · Last modified: 2022/12/22 11:33 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki