Eu experimentei o mesmo comportamento e descobri que o servidor fail2ban tinha um tempo incorreto.
Eu configurei o fail2ban para monitorar um serviço que expus fora do meu roteador. Os arquivos estão sendo registrados corretamente e os eventos estão sendo selecionados pelo fail2ban
2013-11-21 01:05:24,573 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:24,576 fail2ban.filter : DEBUG File changed: /path/to/log.log
2013-11-21 01:05:34,636 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:34,639 fail2ban.filter : DEBUG File changed: /path/to/log.log
2013-11-21 01:05:36,667 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:36,671 fail2ban.filter : DEBUG File changed: /path/to/log.log
2013-11-21 01:05:39,700 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:39,703 fail2ban.filter : DEBUG File changed: /path/to/log.log
2013-11-21 01:05:41,732 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:41,736 fail2ban.filter : DEBUG File changed: /path/to/log.log
2013-11-21 01:05:48,770 fail2ban.filter : DEBUG Got event: 1 for /path/to/log.log
2013-11-21 01:05:48,773 fail2ban.filter : DEBUG File changed: /path/to/log.log
jail.conf:
[service-name]
enabled = true
port = 1234
filter = service-name
action = iptables[name=service-name, port=1234, protocol=tcp]
sendmail-whois[name=service-name, [email protected]]
logpath = /path/to/log.log
maxretry = 5
fail2ban / filter.d / service-name:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = service-name
failregex = .* Login failed from <HOST>
Arquivo de registro de amostra:
[11-21-2013 00:12:00] Login failed from 192.168.1.2
[11-21-2013 01:01:23] Login failed from 192.168.1.2
[11-21-2013 01:01:33] Login failed from 192.168.1.2
[11-21-2013 01:01:35] Login failed from 192.168.1.2
[11-21-2013 01:01:38] Login failed from 192.168.1.2
[11-21-2013 01:01:39] Login failed from 192.168.1.2
[11-21-2013 01:01:47] Login failed from 192.168.1.2
Alguma ideia por onde começar?
Editar: Eu habilitei o SSH no jail.conf e ele funcionou sem problemas, então o fail2ban e o iptables parecem estar funcionando bem, mas o serviço não está funcionando.
Eu experimentei o mesmo comportamento e descobri que o servidor fail2ban tinha um tempo incorreto.
Tags fail2ban