Depois de compilar o fail2ban a partir da fonte, ele funciona. Parece que o pacote debian que eu instalei com o apt-get fail2ban ainda é uma versão de desenvolvimento com bugs.
Tenho problemas ao configurar o fail2ban para verificar o log de erros do nginx em busca de entradas de autenticação http com falha. Mesmo que o failregex fornecido funcione, o fail2ban parece simplesmente ignorar a configuração do jail.
Eu já tentei configurar o nível de log para 4, mas não há informações sobre qualquer falha relacionada à cadeia do nginx. Além disso, imaginei que o registro de data e hora nos arquivos de log deve corresponder à hora do sistema, o que obviamente já é o caso.
Estranhamente a outra cadeia que eu configurei (ssh) funciona perfeitamente. Estou sem ideias, talvez você tenha uma. Aqui está esperançosamente toda a informação que você precisa. Obrigado.
fail2ban.conf
[Definition]
loglevel = 3
logtarget = /var/example/logs/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock
jail.conf
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 60
findtime = 600
maxretry = 3
backend = auto
[ssh-iptables]
enabled = true
filter = sshd
action = iptables-allports[name=SSH, protocol=all]
logpath = /var/log/auth.log
[nginx]
enabled = true
filter = nginx-auth
action = iptables-allports[name=nginx, protocol=all]
logpath = /var/example/logs/nginx-error.log
filter.d / nginx-auth.conf
[Definition]
failregex = no user/password was provided for basic authentication.*client: <HOST>
user .* was not found in.*client: <HOST>
user .* password mismatch.*client: <HOST>
ignoreregex =
fail2ban-regex /var/example/logs/nginx-error.log /var/example/config/fail2ban/filter.d/nginx-auth.conf
Running tests
=============
Use regex file : /var/example/config/fail2ban/filter.d/nginx-auth.conf
Use log file : /var/example/logs/nginx-error.log
Results
=======
Failregex
|- Regular expressions:
| [1] no user/password was provided for basic authentication.*client: <HOST>
| [2] user .* was not found in.*client: <HOST>
| [3] user .* password mismatch.*client: <HOST>
|
'- Number of matches:
[1] 60 match(es)
[2] 0 match(es)
[3] 0 match(es)
Ignoreregex
|- Regular expressions:
|
'- Number of matches:
Summary
=======
Addresses found:
[1]
192.168.153.1 (Fri Sep 02 14:07:54 2011)
192.168.153.1 (Fri Sep 02 14:07:54 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:04 2011)
192.168.153.1 (Fri Sep 02 14:08:04 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:08 2011)
192.168.153.1 (Fri Sep 02 14:08:09 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:12 2011)
192.168.153.1 (Fri Sep 02 14:08:12 2011)
[2]
[3]
Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
240 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 60
Eu tive o mesmo problema - acontece que era um problema de fuso horário.
Eu estava no GMT quando o syslogd / sshd era iniciado, então / var / log / secure e / var / log / messages escreviam seus timestamps no GMT. No entanto, desde então, fixei o tzdata ao meu fuso horário local e, em seguida, iniciei o fail2ban. Agora o fail2ban estava confuso porque todos os eventos estavam 7 horas adiantados e, portanto, não dentro do intervalo "findtime".
A solução simples era simplesmente reiniciar o syslogd e o sshd para que eles escolhessem o novo fuso horário. Agora o fail2ban bloqueia como um campeão.