An application I'm running logs incorrect logins such as this:
Tue, 19 Mar 13 20:46:03 +0000 failed login from iphere !
Tue, 19 Mar 13 20:46:03 +0000 failed login from iphere !
Tue, 19 Mar 13 20:46:03 +0000 failed login from iphere !
I'm trying to get people that fail to log in IP banned to prevent brute force attacks. Note: iphere is obviously the real IP. And no, not 127.0.0.1 as this is excluded from banning in the configuration :)
What I've tried
- Searched and read about 10 guides...
- Reinstalled Fail2ban
- Set backend to polling instead of auto, many reported this is a bug
- Checked all the logs
- Tested the regexp
- Confirmed fail2ban is working
- Made the findtime and badtime extremely long to see if it was perhaps a timezone issue (the application stores GMT timestamps and the server is in GMT+1)
Fail2ban is working with the default, un-changed SSH jail/filter! I tried logging in to SSH a couple of times and that causes a ban. So it is my configuration at fault somehow.
A good guide I've found is this: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
A fix I applied was this: fail2ban.action.action ERROR on startup/restart I had multiple fail2ban.action.action ERROR on startup/restart. It seems there was a "race" condition with iptables. I solved the problem completely on my system by editing /usr/bin/fail2ban-client and adding a time.sleep(0.1) This was an error I saw in the fail2ban log which was solved with above.
Log files
The log files show that the jail starts fine. I can see lines being written to /var/log/myapp.log fail2ban-client -d gives me this, aside from the default SSH filter:
['add', 'myapp', 'polling']
['set', 'myapp', 'addlogpath', '/var/log/myapp.log']
['set', 'myapp', 'maxretry', 3]
['set', 'myapp', 'addignoreip', '127.0.0.1/8']
['set', 'myapp', 'findtime', 60000]
['set', 'myapp', 'bantime', 1800]
['set', 'myapp', 'addfailregex', '.*failed login from <HOST> .*']
Below you will find my configuration files.
Filter
/etc/fail2ban/filter.d/myapp.conf
[Definition]
failregex = .*failed login from <HOST> .*
I tested the filter with:
fail2ban-regex /var/log/myapp.log /etc/fail2ban/filter.d/myapp.conf
Result (nothing special, just a list of matches and this): Success, the total number of match is 254
So the filter should be fine.
Jail
[myapp]
enabled = true
port = all
filter = myapp
logpath = /var/log/myapp.log
findtime = 60000
bantime = 1800
maxretry = 3
banaction = iptables-multiport-log
After setting these obviously I did a fail2ban-client reload and service fail2ban restart.
Suffice to say, no bans are being done at all. I've spent quite some time on this issue but I figured it has to be something small, so I thought it'd be good to ask here.