fail2ban recebendo eventos, mas não acionando eventos

1

Eu configurei o fail2ban para monitorar um serviço que expus fora do meu roteador. Os arquivos estão sendo registrados corretamente e os eventos estão sendo selecionados pelo fail2ban

2013-11-21 01:05:24,573 fail2ban.filter : DEBUG  Got event: 1 for /path/to/log.log
2013-11-21 01:05:24,576 fail2ban.filter : DEBUG  File changed: /path/to/log.log
2013-11-21 01:05:34,636 fail2ban.filter : DEBUG  Got event: 1 for /path/to/log.log
2013-11-21 01:05:34,639 fail2ban.filter : DEBUG  File changed: /path/to/log.log
2013-11-21 01:05:36,667 fail2ban.filter : DEBUG  Got event: 1 for /path/to/log.log
2013-11-21 01:05:36,671 fail2ban.filter : DEBUG  File changed: /path/to/log.log
2013-11-21 01:05:39,700 fail2ban.filter : DEBUG  Got event: 1 for /path/to/log.log
2013-11-21 01:05:39,703 fail2ban.filter : DEBUG  File changed: /path/to/log.log
2013-11-21 01:05:41,732 fail2ban.filter : DEBUG  Got event: 1 for /path/to/log.log
2013-11-21 01:05:41,736 fail2ban.filter : DEBUG  File changed: /path/to/log.log
2013-11-21 01:05:48,770 fail2ban.filter : DEBUG  Got event: 1 for /path/to/log.log
2013-11-21 01:05:48,773 fail2ban.filter : DEBUG  File changed: /path/to/log.log

jail.conf:

[service-name]

enabled  = true
port     = 1234
filter   = service-name
action   = iptables[name=service-name, port=1234, protocol=tcp]
           sendmail-whois[name=service-name, [email protected]]
logpath  = /path/to/log.log
maxretry = 5

fail2ban / filter.d / service-name:

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]
_daemon = service-name

failregex = .* Login failed from <HOST>

Arquivo de registro de amostra:

[11-21-2013 00:12:00] Login failed from 192.168.1.2
[11-21-2013 01:01:23] Login failed from 192.168.1.2
[11-21-2013 01:01:33] Login failed from 192.168.1.2
[11-21-2013 01:01:35] Login failed from 192.168.1.2
[11-21-2013 01:01:38] Login failed from 192.168.1.2
[11-21-2013 01:01:39] Login failed from 192.168.1.2
[11-21-2013 01:01:47] Login failed from 192.168.1.2

Alguma ideia por onde começar?

Editar: Eu habilitei o SSH no jail.conf e ele funcionou sem problemas, então o fail2ban e o iptables parecem estar funcionando bem, mas o serviço não está funcionando.

    
por Sugitime 21.11.2013 / 09:14

1 resposta

0

Eu experimentei o mesmo comportamento e descobri que o servidor fail2ban tinha um tempo incorreto.

    
por 14.01.2014 / 12:37

Tags