5

I am using fail2ban 0.9.7 on CentOS 7 along with an Apache reverse proxy, trying to ban bots trying to access my server as an open proxy, such as :

221.8.179.164 - - [10/Jun/2019:22:04:19 +0200] "CONNECT auth.riotgames.com:443 HTTP/1.1" 405 235 "-" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0"

Some of these requests return 200 for some reason, although ProxyRequests is turned off.

Here is my configuration :

apache-badhosts.conf

[Definition]
failregex = ^<HOST> - -.*"(GET|POST|HEAD|CONNECT).*(bad_host_1|bad_host_2|bad_host_3).*"$

ignoreregex =

jail.conf

[apache-badhosts]
port     = http,https
# I made sure this is the proper path
logpath  = /var/log/httpd/access_log
bantime  = 172800
maxretry = 1
enabled  = true

And here is the result of fail2ban-regex :

user@host /e/fail2ban> sudo fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-badhosts.conf

Running tests
=============

Use   failregex filter file : apache-badhosts, basedir: /etc/fail2ban
Use         log file : /var/log/httpd/access_log
Use         encoding : UTF-8


Results
=======

Failregex: 10797 total
|-  #) [# of hits] regular expression
|   1) [10797] ^<HOST> - -.*"(GET|POST|HEAD|CONNECT).*(bad_host_1|bad_host_2|bad_host_3).*"$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [13813] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 13813 lines, 0 ignored, 10797 matched, 3016 missed
[processed in 2.44 sec]

fail2ban.log

The log is pretty much empty, and only shows sshd bans.

Why is fail2ban not banning IPs, although it finds matches using the regex above ?

ojathelonius
  • 61
  • 1
  • 4
  • 1
    I'd try to enable notifications and see if they're triggered. I assume you already ran `fail2ban-client status` and confirmed your custom jail is loaded. – Marco Jun 10 '19 at 22:35
  • Indeed the custom jail is loaded. I also made sure it was loaded with the proper configuration using `fail2ban-client -d | grep badhosts`. By notifications, do you mean e-mail notifications ? These are disabled right now, but wouldn't they also appear in fail2ban.log anyway ? – ojathelonius Jun 11 '19 at 05:51
  • Well, according to the informations provided fail2ban should ban hosts matching the regex... – Marco Jun 11 '19 at 08:30
  • It definitely should ! I'm wondering if this is not a deeper issue linked to iptables, however fail2ban does not even log any ban attempt... – ojathelonius Jun 11 '19 at 08:32
  • did you find any solution, i've exact same problem – Ergec Jun 15 '19 at 12:03
  • @Ergec no but here are some things you can check on your side, to see if your issue is not easier to solve. First check that firewalld knows about the rules you created with `sudo firewall-cmd --direct --get-all-rules`. In your `jail.local`, verify that logpath uses the proper path to the apache log (usually `/var/log/httpd/access_log`. Check that `port` is set to both `http,https`. Finally, if you're using Centos7 like me with fail2ban 0.9.7 installed through `yum`, try using the latest version from the fail2ban repo instead. – ojathelonius Jun 16 '19 at 16:04
  • If I do find a fix, I'll make sure to self-answer this post so consider saving it. I'm thinking this is apache related rather than fail2ban, since my `sshd` rules work perfectly. Moreover, I am unsure if this is normal or not, but although `fail2ban-regex` finds hits, it does not print any `Summary` listing all found IPs like it usually does in the example results online. – ojathelonius Jun 16 '19 at 16:07
  • @ojathelonius thanks for your reply. I also use CentOs 7 and fail2ban 0.9.7. Output of `fail2ban-regex -v /path/to/logfile /pathto/filter.conf` does display IP addresses that matches and also # of hits to date template. Also `iptables -nvL` displays my chain and `pkts` and `bytes` are increasing but no banned IP addresses. Newest release for centos on epel is current version and couldn't find newer rpm anywhere. It's not my first time i configure fail2ban, did several times on other machines (older versions of centos and fail2ban) but this one is nightmare. – Ergec Jun 17 '19 at 06:44
  • @Ergec did you try using firewalld instead of iptables ? I tried using iptables but it didn't work either. I also tried using custom actions such as in this comment : https://github.com/fail2ban/fail2ban/issues/1474#issuecomment-272659488 but to no avail. I also found this interesting link ( https://www.centos.org/forums/viewtopic.php?t=60586 ) but it does not apply to me as firewalld rules are definitely created in `firewall-cmd --direct --get-all-rules `. Do your `sshd` rules work properly as well ? – ojathelonius Jun 17 '19 at 08:23
  • Also, does your `fail2ban-regex` display a `======= Summary` part ? This might not be relevant, but my output does not show such a thing while it's usually shown in examples online – ojathelonius Jun 17 '19 at 08:24
  • i might have figure it out but need you to test it so i can post it as an answer. check if you have `python-inotify` installed (i bet you don't just like me) . `yum install python-inotify` . Once it's installed, edit your `jail.local` and put `backend = pyinotify` under the jail you need. restart fail2ban. Voila? ;) – Ergec Jun 17 '19 at 10:26
  • Geez, man, thank you. It works. How did you find out about this ? – ojathelonius Jun 17 '19 at 12:05
  • I tried adding IPs to jails manually using `fail2ban-client set JAILNAME banip IPADDRESS` which works and bans ip. Then I'm convinced that fail2ban bans and blocks but has a problem before trying to add IP address, may be it gets wrong IP. This means can't read file or can't parse. This took me to `jail.conf` file. It has a section named `backend`. Says it has 4 different methods. None worked for me and seems pyinotify is not installed at all. Then istalled and it worked ;) – Ergec Jun 17 '19 at 12:19

2 Answers2

6

Most probably you don't have pyinotify installed on your system which cause fail2ban to fail getting log file modifications. I had the same problem and fixed it using this.

1.

Install pyinotify

yum install python-inotify

2.

Once it's installed, edit your jail.local and put

[myjail]
...
backend = pyinotify
...

3.

systemctl restart fail2ban
Ergec
  • 608
  • 1
  • 9
  • 25
  • Interesting idea, but made no improvement for me. I am in a bit different scenario in that 2 out of 3 of my jails do ban **and** appear in fail2ban.log, anyway, with or without this answer. – John Sep 29 '22 at 14:03
3

Not exactly the solution to the above problem but it may will help others that come here:

For me the problem was, that fail2ban was watching the wrong logfile.

My nginx jails did not work since they used logpath = %(nginx_error_log)s which is /var/log/nginx/error.log. However, all accesses, including 4xx and 5xx, were logged to /var/log/nginx/access.log.

Exchanging %(nginx_error_log)s with %(nginx_access_log)s fixed it.

To see which log file a jail uses you can inspect the startup message of /var/log/fail2ban.log:

Creating new jail 'nginx-http-auth'
Jail 'nginx-http-auth' uses pyinotify {}
Initiated 'pyinotify' backend
Added logfile: '/var/log/nginx/error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
das Keks
  • 136
  • 6
  • 1
    I prefer to see which log files a jail uses with: `sudo fail2ban-client status nginx-limit-req` ```Status for the jail: nginx-limit-req |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/nginx/.com_error.log /var/log/nginx/error.log ``` – John Sep 29 '22 at 14:08