Fail2ban перестал работать jail

0

1

[root@relay ~]# fail2ban-client -V
0.10.4
[root@relay ~]# uname -a
FreeBSD 10.4-RELEASE-p5

Перестал отлавливать и банить jail apache-auth

[apache-auth]
enabled = true
filter = apache-auth
port     = http,https
logpath  = %(apache_error_log)s
bantime  = 604800m
findtime  = 10m
maxretry = 4

при проверке совпадения видит но никак на них не реагирует

[root@relay ~]# fail2ban-regex /var/log/httpd-error.log /usr/local/etc/fail2ban/filter.d/apache-auth.conf

Running tests
=============

Use   failregex filter file : apache-auth, basedir: /usr/local/etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/httpd-error.log
Use         encoding : UTF-8


Results
=======

Failregex: 25 total
|-  #) [# of hits] regular expression
|   1) [25] ^client (?:denied by server configuration|used wrong authentication scheme)\b
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [25] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 25 lines, 0 ignored, 25 matched, 0 missed
[processed in 0.01 sec]

в логах ошибок не вижу

2019-02-06 16:42:14,998 fail2ban.jail           [28620]: INFO    Creating new jail 'apache-auth'
2019-02-06 16:42:14,998 fail2ban.jail           [28620]: INFO    Jail 'apache-auth' uses poller {}
2019-02-06 16:42:14,998 fail2ban.jail           [28620]: INFO    Initiated 'polling' backend
2019-02-06 16:42:15,007 fail2ban.filter         [28620]: INFO    Added logfile: '/var/log/httpd-error.log' (pos = 108771, hash = 68b329da9893e34099c7d8ad5cb9c940)
2019-02-06 16:42:15,007 fail2ban.filter         [28620]: INFO      maxRetry: 4
2019-02-06 16:42:15,008 fail2ban.filter         [28620]: INFO      encoding: UTF-8
2019-02-06 16:42:15,008 fail2ban.filter         [28620]: INFO      findtime: 600
2019-02-06 16:42:15,008 fail2ban.actions        [28620]: INFO      banTime: 36288000
2019-02-06 16:42:15,044 fail2ban.jail           [28620]: INFO    Jail 'apache-auth' started

Подскажите куда копать!?

Ссылка

←	Перенос SNAP приложения на другой пк

RedMine перестал отправлять уведомления на почту!

→

Может не findtime не попадает?

targitaj ★★★★★
(06.02.19 18:17:14 MSK)

Ответ на: комментарий от targitaj 06.02.19 18:17:14 MSK

Да нет все работало в таком виде. Для теста делаю 10 попыток подключения за несколько секунд и ноль. Другие работают к примеру

[webmin-auth]
enabled = true
filter = webmin-auth
port    = 10001
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
bantime  = 604800m
findtime  = 10m
maxretry = 2

fly380
(06.02.19 18:27:41 MSK) автор топика

Ответ на: комментарий от fly380 06.02.19 18:27:41 MSK

Ты вообще понимаешь смысл опции findtime?

targitaj ★★★★★
(06.02.19 18:29:51 MSK)

Ответ на: комментарий от targitaj 06.02.19 18:29:51 MSK

Да я понимаю что это интервал за который событие должно повториться для того чтобы попасть под действие фильтра. Ставлю findtime = 600, та даже findtime = 3600 результат нулевой.

fly380
(06.02.19 18:40:38 MSK) автор топика

Ответ на: комментарий от fly380 06.02.19 18:40:38 MSK

Не просто «событие», а с того же адреса. Адреса те же? Когда меня брутило 10000+ адресов, они делали паузу в несколько часов с адреса.

targitaj ★★★★★
(06.02.19 18:47:02 MSK)

Ответ на: комментарий от targitaj 06.02.19 18:47:02 MSK

Ну вот к примеру кусок лога где никакой паузы нет и оно точно подпадает под фильтр.

[Mon Feb 06 12:42:20.234969 2019] [access_compat:error] [pid 12501] [client 78.139.49.71:56785] AH01797: client denied by server configuration: /usr/local/www/apache24/data/HNAP1
[Mon Feb 06 12:42:20.965255 2019] [access_compat:error] [pid 3516] [client 78.139.49.71:56862] AH01797: client denied by server configuration: /usr/local/www/apache24/data/hudson
[Mon Feb 06 12:42:21.417353 2019] [access_compat:error] [pid 3497] [client 78.139.49.71:56914] AH01797: client denied by server configuration: /usr/local/www/apache24/data/script
[Mon Feb 06 12:42:24.834138 2019] [access_compat:error] [pid 12253] [client 78.139.49.71:56973] AH01797: client denied by server configuration: /usr/local/www/apache24/data/sqlite
[Mon Feb 06 12:42:25.346632 2019] [access_compat:error] [pid 13323] [client 78.139.49.71:57305] AH01797: client denied by server configuration: /usr/local/www/apache24/data/sqlitemanager
[Mon Feb 06 12:42:27.069132 2019] [access_compat:error] [pid 13191] [client 78.139.49.71:57363] AH01797: client denied by server configuration: /usr/local/www/apache24/data/SQLiteManager
[Mon Feb 06 12:42:28.888967 2019] [access_compat:error] [pid 13363] [client 78.139.49.71:57587] AH01797: client denied by server configuration: /usr/local/www/apache24/data/SQLite
[Mon Feb 06 12:42:30.222771 2019] [access_compat:error] [pid 12500] [client 78.139.49.71:57721] AH01797: client denied by server configuration: /usr/local/www/apache24/data/SQlite
[Mon Feb 06 12:42:31.557757 2019] [access_compat:error] [pid 3496] [client 78.139.49.71:57850] AH01797: client denied by server configuration: /usr/local/www/apache24/data/main.php
[Mon Feb 06 12:42:32.047443 2019] [access_compat:error] [pid 3516] [client 78.139.49.71:57901] AH01797: client denied by server configuration: /usr/local/www/apache24/data/test h
[Mon Feb 06 12:42:32.408072 2019] [access_compat:error] [pid 3497] [client 78.139.49.71:57957] AH01797: client denied by server configuration: /usr/local/www/apache24/data/SQLiteManager-1.2
[Mon Feb 06 12:42:33.323448 2019] [access_compat:error] [pid 12253] [client 78.139.49.71:58013] AH01797: client denied by server configuration: /usr/local/www/apache24/data/agSearch
[Mon Feb 06 12:42:34.058396 2019] [access_compat:error] [pid 13323] [client 78.139.49.71:58142] AH01797: client denied by server configuration: /usr/local/www/apache24/data/phpmyadmin
[Mon Feb 06 12:42:34.765262 2019] [access_compat:error] [pid 10446] [client 78.139.49.71:58215] AH01797: client denied by server configuration: /usr/local/www/apache24/data/phpMyAdmin
[Mon Feb 06 12:42:35.074713 2019] [access_compat:error] [pid 13191] [client 78.139.49.71:58265] AH01797: client denied by server configuration: /usr/local/www/apache24/data/PMA
[Mon Feb 06 12:42:35.504025 2019] [access_compat:error] [pid 13363] [client 78.139.49.71:58329] AH01797: client denied by server configuration: /usr/local/www/apache24/data/pma
[Mon Feb 06 12:42:35.916556 2019] [access_compat:error] [pid 12500] [client 78.139.49.71:58385] AH01797: client denied by server configuration: /usr/local/www/apache24/data/admin
[Mon Feb 06 12:42:36.506057 2019] [access_compat:error] [pid 3496] [client 78.139.49.71:58454] AH01797: client denied by server configuration: /usr/local/www/apache24/data/dbadmin
[Mon Feb 06 12:42:36.807243 2019] [access_compat:error] [pid 3516] [client 78.139.49.71:58509] AH01797: client denied by server configuration: /usr/local/www/apache24/data/mysql
[Mon Feb 06 12:42:37.166696 2019] [access_compat:error] [pid 3497] [client 78.139.49.71:58557] AH01797: client denied by server configuration: /usr/local/www/phpMyAdmin/
[Mon Feb 06 12:42:38.838644 2019] [access_compat:error] [pid 12253] [client 78.139.49.71:58621] AH01797: client denied by server configuration: /usr/local/www/apache24/data/openserver
[Mon Feb 06 12:42:39.936000 2019] [access_compat:error] [pid 13323] [client 78.139.49.71:58746] AH01797: client denied by server configuration: /usr/local/www/apache24/data/phpmyadmin2
[Mon Feb 06 12:42:40.250344 2019] [access_compat:error] [pid 10446] [client 78.139.49.71:58859] AH01797: client denied by server configuration: /usr/local/www/apache24/data/phpMyAdmin2

еще позавчера банило а сегодня заметил что нет. Сам уже пробовал 20-30 подключений делаю и никакого бана

fly380
(06.02.19 18:59:42 MSK) автор топика

Ответ на: комментарий от fly380 06.02.19 18:59:42 MSK

А точно не трогал ничего?

fail2ban-client status

что говорит?

targitaj ★★★★★
(06.02.19 19:03:57 MSK)

Ответ на: комментарий от targitaj 06.02.19 19:03:57 MSK

Ничего что могло бы повлиять на работу именно одного джейла (остальные работают).

[root@relay ~]# fail2ban-client status
Status
|- Number of jail:      5
`- Jail list:   apache-auth, dovecot, postfix, sshd, webmin-auth

[root@relay ~]# fail2ban-client status apache-auth
Status for the jail: apache-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/httpd-error.log
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   78.139.49.71 64.137.239.197

(78.139.49.71 внес вручную) я уже и базу сносил и сам fail2ban переустанавливал именно apache-auth не хочет работать, а остальные работают.

fly380
(06.02.19 20:16:21 MSK) автор топика