I'm trying to use the fail2ban-regex
command to test my filter and regex, but it doesn't seem to be having any luck. I used a tutorial to demonstrate how to use the Devise gem with Rails to log failed logins.
Here's my /etc/fail2ban/filter.d/core.conf
file:
[INCLUDES]
before = common.conf
[Definition]
failregex = ^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $
and then here's what I have in my /etc/fail2ban/jail.conf
file.
[core]
enabled = true
filter = core
port = http,https
logpath = /home/rails/Documents/rails_app/devise.log
bantime = 3600
findtime = 600
maxretry = 2
And here's an example output from the devise.log
file that Rails created:
# Logfile created on 2018-09-26 16:19:41 -0500 by logger.rb/61378
E, [2018-09-26T16:19:41.353620 #12157] ERROR -- : Failed login for 'ekjtherkjh@gmail.com' from 172.16.38.1 at 2018-09-26T21:19:41Z
E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:17Z
E, [2018-09-26T16:27:19.706783 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:19Z
E, [2018-09-26T16:27:21.504956 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:21Z
E, [2018-09-26T16:27:23.193147 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:23Z
It's exactly what was used in the tutorial. However, when I submitted invalid login attempts, nothing happened.
Here's the result of my fail2ban-regex
command:
[myuser:ubuntu:/etc/fail2ban/filter.d]$ fail2ban-regex /home/rails/Documents/rails_app/devise.log "^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $"
Running tests
=============
Use failregex line : ^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $
Use log file : /home/rails/Documents/rails_app/devise.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [13] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 13 lines, 0 ignored, 0 matched, 13 missed
[processed in 0.02 sec]
|- Missed line(s):
| E, [2018-09-26T16:19:41.353620 #12157] ERROR -- : Failed login for 'ekjtherkjh@gmail.com' from 172.16.38.1 at 2018-09-26T21:19:41Z
| E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:17Z
| E, [2018-09-26T16:27:19.706783 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:19Z
| E, [2018-09-26T16:27:21.504956 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:21Z
| E, [2018-09-26T16:27:23.193147 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:23Z
| E, [2018-09-26T16:27:24.959032 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:24Z
| E, [2018-09-26T16:27:26.661292 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:26Z
| E, [2018-09-26T16:27:28.297408 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:28Z
| E, [2018-09-26T16:27:30.179503 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:30Z
| E, [2018-09-26T16:27:31.940616 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:31Z
| E, [2018-09-26T16:32:42.579173 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:32:42Z
| E, [2018-09-26T16:32:44.817088 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:32:44Z
| E, [2018-09-26T16:32:46.660918 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:32:46Z
Not sure why this isn't working. Any suggestions by chance? I've tried to manipulate my regex, but still no luck.
EDIT
It literally seems like Fail2Ban is broken or I'm just completely screwing up the Regex. I've reduced my devise.log
file to just a single line containing an IP address, and reduced my filter down to just this:
[INCLUDES]
before = common.conf
[Definition]
failregex = <HOST>
and it STILL doesn't even find the IP address:
[myuser:ubuntu:/etc/fail2ban/filter.d]$ fail2ban-regex /home/rails/Documents/rails_app/devise.log core.conf
Running tests
=============
Use failregex filter file : core, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /home/rails/Documents/rails_app/devise.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]
|- Missed line(s):
| 172.16.38.1
`-
In your log you have lines that look like this:
E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:17Z
And your regex is missing the ending with this part: 2018-09-26T21:27:17Z at the end of the lines. So you need to modify your regex as follows:
failregex = ^.* (\[.*\])* ERROR -- \: Failed login for '.*' from <HOST> at .*$
Here you can test your regexes. Just remember to replace <HOST>
with \\d+\\.\\d+\\.\\d+\\.\\d+
on regex site and then back to <HOST>
in your conf files.
Let me know if it helped.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.