3

I can't ban any ip, thought when I test my regex, it has +2000matches:

> fail2ban-regex '/var/log/nginx/access.log' '/etc/fail2ban/filter.d/bad-request.conf'
Date template hits:
|- [# of hits] date format
|  [1172344] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?        24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
Lines: 1172344 lines, 0 ignored, 2198 matched, 1170146 missed [processed in 223.96 sec]

Here is my failregex:

^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)

i am using 0.9. version.

Log files looks like this:

1.39.61.27,151.249.92.71,118.186.70.18,118.186.70.8,192.168.99.251,118.186.70.181,118.186.70.17,118.186.70.112,118.186.70.18,118.186.70.18,192.168.99.251 - "OPTIONS /js/shs/json HTTP/1.1" - [09/Oct/2015:15:33:29 +0800] 200 508 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/43.0.2357.130 Chrome/43.0.2357.130 Safari/537.36" "-"
- - "GET /wp-login.php HTTP/1.1" - [09/Oct/2015:15:33:30 +0800] 200 130761 "-" "-" "-"

I checked iptables -L, output is just normal, no banned IP:

Is it log date format not complying with fail2ban standards? Where should I check next?

sebix
  • 4,313
  • 2
  • 29
  • 47
Olaf Stavenger
  • 123
  • 1
  • 2
  • 8
  • Im not sure, but you might wanna look at the findtime and maxretry parameters. If the findtime values isn't great enough or the maxretry is too high? Also take a look in the fail2ban log, to see if any ban/unbans has happened. – SteffenNielsen Oct 09 '15 at 09:13
  • i set findtime=300 and maxretry=1 ,bandtime=-1,i can reload fail2ban config so no pb there, should work,.I checked also my server time, its same time as my log file, i dont see where is the pb . could it be timestamp format? can u post here,your log_format in nginx? – Olaf Stavenger Oct 09 '15 at 09:25
  • Since the regex test successfully find matches, I wouldnt think that the timestamp is the problem. Your findtime is pretty low (5 minutes) which means, that when you reload fail2ban, it will find GET requests from the last 5 minutes and ban if any. Newly GET request (after the reload) should be catched though. Also, please look in the fail2ban log and check if you filter is activated while reloading etc. – SteffenNielsen Oct 09 '15 at 09:42
  • Seems like you are right: ERROR Failed to start jail 'bad-request' action 'sendmail-whois-lines': Error starting action [5355]: ERROR printf %b "Subject: [Fail2Ban] bad-request: started on `uname -n` what should I do? – Olaf Stavenger Oct 09 '15 at 09:59
  • my jail.local looks like this: [nginx-badbots] enabled = true filter = apache-badbots banaction=iptables-allports logpath = /var/log/nginx/access.log findtime = 7200 bantime = 86400 maxretry = 1 – Olaf Stavenger Oct 09 '15 at 10:01
  • I think you are mixing up alot of stuff here. 1) Are you looking in nginx error.log or access.log? 2) Your filter is named "apache-badbots"? I found this article (https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04) with a similar filter like yours. Maybe you should start all over and follow their guide? – SteffenNielsen Oct 09 '15 at 11:10

1 Answers1

1

I got it working finally, my mistake was to set action to :

action = %(action_mwl)s

inside jail.local when I didn't have mail server. I adjusted action to

action = %(action_)s

the default one, and i am now blocking many malicious traffics automatically with fail2ban. Next step would be permanently block them. cheers.

Olaf Stavenger
  • 123
  • 1
  • 2
  • 8