LINUX.ORG.RU
ФорумAdmin

fail2ban на rhel 7 не работает правило на для proftpd, не банит ip

 , ,


0

1
 cat /etc/fail2ban/jail.local
[proftpd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
banaction = firewallcmd-ipset
logpath  = /var/log/proftpd/proftpd-error.log
findtime = 600
bantime  = 900
maxretry = 5
fail2ban-regex /var/log/proftpd/proftpd-error.log /etc/fail2ban/filter.d/proftpd.conf 

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/proftpd.conf
Use         log file : /var/log/proftpd/proftpd-error.log
Use         encoding : UTF-8


Results
=======

Failregex: 301 total
|-  #) [# of hits] regular expression
|   1) [166] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?proftpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?proftpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*\S+ \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
|   2) [135] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?proftpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?proftpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*\S+ \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [986] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-

Lines: 986 lines, 0 ignored, 301 matched, 685 missed [processed in 0.26 sec]
Missed line(s): too many to print.  Use --print-all-missed to print all 685 lines
cat /var/log/fail2ban.log

2015-01-27 11:56:04,840 fail2ban.server         [27195]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-01-27 11:56:04,841 fail2ban.database       [27195]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-01-27 11:56:04,844 fail2ban.jail           [27195]: INFO    Creating new jail 'proftpd'
2015-01-27 11:56:04,868 fail2ban.jail           [27195]: INFO    Jail 'proftpd' uses systemd
2015-01-27 11:56:04,894 fail2ban.jail           [27195]: INFO    Initiated 'systemd' backend
2015-01-27 11:56:04,898 fail2ban.filter         [27195]: INFO    Set maxRetry = 5
2015-01-27 11:56:04,900 fail2ban.actions        [27195]: INFO    Set banTime = 900
2015-01-27 11:56:04,901 fail2ban.filter         [27195]: INFO    Set findtime = 600
2015-01-27 11:56:04,928 fail2ban.filtersystemd  [27195]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2015-01-27 11:56:04,939 fail2ban.jail           [27195]: INFO    Jail 'proftpd' started
ipset list
Name: fail2ban-proftpd
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 900
Size in memory: 16528
References: 1
Members:

Не могу понять где ошибка, Fail2Ban v0.9.1


У вас в системе firewalld работает или удалён? Команда ″firewall-cmd″ существует? И файл ″/etc/fail2ban/action.d/firewallcmd-ipset.conf″ существует?

″grep fail2ban /var/log/messages″ ничего интерестного не выводит?

mky ★★★★★
()
Ответ на: комментарий от mky

сервис firewalld разумеется запущен, в /var/log/messages при конфиге, что я привел выше, ничего интересного, пишет только что fail2ban запущен/остановлен

tm4ig
() автор топика
Ответ на: комментарий от tm4ig

надо было установить backend = polling

tm4ig
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.