Categories
Mastering Development System & Network

Fail2ban-regex matches from string but not from filter.d files

I’m trying to match wordpress failed logins and I’m struggling with fail2ban configuration. The lines I’m trying to match look like this: 116.147.121.40 – – [26/Mar/2020:10:18:24 +0100] “POST /wp-login.php HTTP/1.1” 200 2044 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0” My problem is that fail2ban-regex matches the lines only if used like this: fail2ban-regex […]

Categories
Development System & Network

What are missed lines in fail2ban?

I had millions of lines such as these in my log file yesterday: Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification ‘\003’ from 54.37.78.250 port 50306 Feb 25 18:00:00 mond2 sshd[29575]: Bad protocol version identification ‘\003’ from 54.37.78.250 port 50530 Feb 25 18:00:00 mond2 sshd[29576]: Bad protocol version identification ‘\003’ from 54.37.78.250 port 50696 […]

Categories
Development System & Network

What are missed lines in fail2ban?

I had millions of lines such as these in my log file yesterday: Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification ‘\003’ from 54.37.78.250 port 50306 Feb 25 18:00:00 mond2 sshd[29575]: Bad protocol version identification ‘\003’ from 54.37.78.250 port 50530 Feb 25 18:00:00 mond2 sshd[29576]: Bad protocol version identification ‘\003’ from 54.37.78.250 port 50696 […]

Categories
Development System & Network

What are missed lines in fail2ban?

I had millions of lines such as these in my log file yesterday: Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification ‘\003’ from 54.37.78.250 port 50306 Feb 25 18:00:00 mond2 sshd[29575]: Bad protocol version identification ‘\003’ from 54.37.78.250 port 50530 Feb 25 18:00:00 mond2 sshd[29576]: Bad protocol version identification ‘\003’ from 54.37.78.250 port 50696 […]

Categories
Development System & Network

Fail2Ban not working with Feb 9 11:57:51 NOQUEUE: reject: RCPT from unknown[185.143.223.170]

I have these files in my mail.log file: Feb 9 11:57:50 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <ian@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<ian@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]> Feb 9 11:57:50 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <david@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<david@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]> Feb 9 11:57:50 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: […]

Categories
Development System & Network

Fail2ban regex doesn’t match

I have tried many regular expressions in fail2ban config, but it never return any matches. Line example: [2019-12-10 10:45:38] NOTICE[15077] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘<sip:Cant@178.216.162.105>’ failed for ‘195.154.214.141:53360’ (callid: 1570242695-1186607423-1664578181) – No matching endpoint found Fail2Ban asterisk config: # Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If […]