# fail2ban does not ban at all, update: regex-problem

## Jimini

Greetings.

Due to thousands of new SSH-login-attempt-entries in my authlog per week, I have decided to use fail2ban to ease this problem. Unfortunately it does not ban at all.

fail2ban.conf:

```
[Definition]

# Option:  loglevel

#          1 = ERROR                

#          2 = WARN                 

#          3 = INFO                 

#          4 = DEBUG                

loglevel = 3                        

                                                                                                                                                               

logtarget = /var/log/fail2ban.log                                                                                                                              

                                                                                                                                                               

socket = /var/run/fail2ban/fail2ban.sock
```

jail.conf (including only the relevant jail)

```
[DEFAULT]

ignoreip = 127.0.0.1                                                           

bantime  = 600                                             

findtime  = 60                                                              

maxretry = 3                                                    

backend = auto

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

logpath  = /var/log/authlog-2010-03

maxretry = 3
```

fail2ban-client status ssh-iptables

```
Status for the jail: ssh-iptables

|- filter

|  |- File list:        /var/log/authlog-2010-03

|  |- Currently failed: 0

|  `- Total failed:     0

`- action

   |- Currently banned: 0

   |  `- IP list:

   `- Total banned:     0
```

fail2ban.log does not list any bans, my authlog (authlog-2010-03) generates up to hundreds of new entries of possible break-in-attempts per day. The sending IP-adresses stay the same for a few hours, "findtime" and "maxretry" are set pretty strict, so in my humble opinion fail2ban should really ban some IPs every day.

Just for testing, I set the loglevel to "4" (debug), but fail2ban.log only contains entries like the following:

```
2010-03-02 12:21:34,030 fail2ban.filter : DEBUG  /var/log/authlog-2010-03 has been modified

2010-03-02 12:21:34,032 fail2ban.filter.datedetector: DEBUG  Sorting the template list

2010-03-02 14:56:45,427 fail2ban.filter : DEBUG  /var/log/authlog-2010-03 has been modified

2010-03-02 14:56:45,428 fail2ban.filter.datedetector: DEBUG  Sorting the template list

2010-03-02 14:56:47,431 fail2ban.filter : DEBUG  /var/log/authlog-2010-03 has been modified

2010-03-02 14:56:47,432 fail2ban.filter.datedetector: DEBUG  Sorting the template list

2010-03-02 14:56:49,435 fail2ban.filter : DEBUG  /var/log/authlog-2010-03 has been modified

2010-03-02 14:56:49,437 fail2ban.filter.datedetector: DEBUG  Sorting the template list

2010-03-02 14:56:56,445 fail2ban.filter : DEBUG  /var/log/authlog-2010-03 has been modified

2010-03-02 14:56:56,447 fail2ban.filter.datedetector: DEBUG  Sorting the template list
```

My conclusion is, that fail2ban does not really take care of what is logged in authlog-2010-03.

I use iptables-1.4.3.2, shorewall-3.4.8 and gentoo hardened 2.6.28-r9. fail2ban worked correctly on a similar system (just an older hardened-kernel), unfortunately the old system is unreachable at the moment. 

Regards, Jimini

P.S.: my authlog is named like "authlog-year-month" - how do I set the logpath-directive to parse the current authlog? /var/log/authlog* seems to read only the first authlog, authlog-2010-02.

P.P.S.: I posted this problem a few days ago in the german forum, too.

UPDATE

It seems that i've located the problem: none of my regex's matches. The entries in my authlog look like the following:

```
[2010-03-05 12:54:18] info auth sshd Invalid user gt05 from 112.65.216.15
```

/etc/fail2ban/filter.d/sshd.conf contains:

```
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$

            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$

            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$

            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$

            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$

            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$

            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$

            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$

            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$

            ^%(__prefix_line)sInvalid user .* from <HOST>$
```

What is wrong here?

----------

## John R. Graham

You can prove that the regexes are or are not matching by running

```
fail2ban-regex /var/log/authlog-2010-03 etc/fail2ban/filter.d/sshd.conf
```

which will reprocess the log file against the filter and show which regex (if any) matched.  Now, my auth failures are in syslog format and look like this:

```
Feb 28 11:19:02 ceres sshd[10209]: Invalid user router from 60.28.240.20
```

and they work, whereas yours look like

```
[2010-03-05 12:54:18] info auth sshd Invalid user gt05 from 112.65.216.15
```

which is a different format.  Alas, the included regexes are designed to match syslog entries.  You need to rewrite them or else reconfigure sshd to dump its messages into a syslog-managed log file.  The latter would be preferred becauseIt's the standard way that sshd works.You can use the standard fail2ban filter regexes.In fact, I couldn't right off figure out how you got sshd to produce that format.

- John

----------

## Jimini

Thank you for your answer!

I'm sorry - I did not mention, that this is my preferred logging format, which is defined in my syslog-ng.conf. So all of my logfiles generated by syslog-ng look like this. I think, I'll wait till I get home tomorrow, then I can watch the logs on my old box, where the same configuration worked perfectly. And if I remember correctly, my logging-format should have been the same there. We'll see! ;)

As a solution, I could a) change my logging-format or b) adjust the rules set in /etc/fail2ban/filter.d/sshd.conf. I prefer b), but have absolutely no clue of regular expressions so long :\

Regards, Jimini

----------

## John R. Graham

The shipped configuration includes a __prefix_line macro (in /etc/fail2ban/filter.d/common.conf) that is tailored to standard syslog format records.  There are two ways to fix this:Rewrite the __prefix_line macro.  A simplistic version would be

```
_prefix_line = .*?

```

Reconfigure syslog-ng to emit standard log file entries.I think the preferred solution is the second one.  Over time, you'll save yourself a world of hurt that way.    :Wink: 

- John

----------

## Jimini

Great, thanks! I'll try this in a few days, till then syslog-ng logs everything from "auth" in the standard-format, it works fine now. Nevertheless I'd like to get "my" logging-format working ;)

Best regards, Jimini

----------

