Questions tagged [fail2ban]
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
729 questions
2
votes
0
answers
25
views
vsftpd - Ensure Consistent 530 Responses
Trying to strengthens security by preventing username enumeration attacks and brute force, I'd like to standardize the 530 error code returned by vsftpd regardless of valid and invalid users, plus ...
- 21
1
vote
2
answers
138
views
HCL Domino v.12/14 on Rocky Linux 9: Delay writing to console.log
On a Rocky Linux v.9 server with HCL Domino v.12 (or v.14, it makes no difference) I installed fail2ban to block attempts to access the SMTP port with incorrect username or password by analyzing ...
- 11
0
votes
1
answer
36
views
Filtering SSH connections on a server behind NAT
I have a server where I can login through SSH. The server has a private IP address and sits behind a NAT. Another server with a public IP address receives SSH connections on a given port and forwards ...
- 1
1
vote
1
answer
166
views
fail2ban blocks all ports when using iptables-multiport
I have an issue with fail2ban and iptables-multiport which blocks all ports instead of the provided ones and I can't fnd why.
I have some web server listening on 443 and I have a honeypot listening ...
- 11
1
vote
0
answers
100
views
How to block access to specific files via fail2ban?
Within my logs there are loads of accesses to files that do not exist, typically to WP- or phpMyAdmin installations. These are obviously automated scripts that try to find security vulnerabilities. My ...
- 121
0
votes
1
answer
86
views
iptables ineffective on nginx reverse proxy behind haproxy load balancer
Simplified path of our setup:
Client ->
VM1- instance on aws, haproxy terminating ssl configured to use acl to direct traffic by requested domain to appropriate backend through wireguard tunnel -&...
- 1
0
votes
0
answers
125
views
Fail2Ban: already banned
I recently setup a VPS on hetzner and tried to secure it with fail2ban and by changing the default ssh port.
Firstly, regardles of fail2ban, I'm confused as I set firewall settings in hetzner console ...
0
votes
0
answers
131
views
Configure fail2ban to parse multiple log lines, e.g. Postfix mail rejects
I want to to block local authenticated mail users who generate spam, i.e. disable their SMTP access for a while as one of several countermeasures against hijacked accounts and malware.
To accomplish ...
- 149
0
votes
1
answer
460
views
Nginx's limit_req + fail2ban: IP addresses are getting banned yet can still access the site
I have successfully set up Nginx's limit_req module so that when anyone attempts to access a PHP file on our server (which we don't host at all), they get a 503. See this question about my setup, ...
- 101
0
votes
1
answer
666
views
How to Create a Custom Action in Fail2Ban to Execute a Bash File for Printing a Banner [duplicate]
I'm using Fail2Ban to enhance the security of my server by automatically banning IP addresses that attempt to log in unsuccessfully multiple times. I'd like to go further by displaying a custom banner ...
0
votes
0
answers
24
views
fail2ban iptables REJECT rules not working [duplicate]
I managed to setup fail2ban and monitor my mysql database logs because I am being brute force attacked through my database login. the database is in a docker container and fail2ban is on the host ...
0
votes
0
answers
33
views
Custom Fail2ban Regex not working
Using the regex filter below:
[Definition]
failregex = ^.*Priority: 0
ignoreregex =
Fail2ban does not detect any of these log entries below.
Mon Apr 1 21:11:29 2024 [] [1:1000002:1] SSH attempt [] ...
- 1
0
votes
0
answers
56
views
Correct regex to block POST request and GET request to single file in apache?
What's the correct fail2ban regex to block these kind of requests?
The excerpt is from apache access.log
181.204.83.115 - - [28/Mar/2024:17:38:47 +0200] "POST /login.php HTTP/1.1" 200 11593
...
- 15
1
vote
1
answer
809
views
fail2ban for dovecot not working
i have set up ufw in linux mint and works fine.
in my linux mint box i run dovecot and i see many failure login tries.
I set up fail2ban like this:
[dovecot-pop3imap]
enabled = true
filter = dovecot-...
- 11
5
votes
3
answers
2k
views
fail2ban bans IP addresses, yet they still appear in access.log
This is my filter:
[Definition]
failregex = <HOST> .* "POST /customer/account/create.*$
<HOST> .* "GET /customer/account/create.*$
and this the corresponding jail:
[...
- 1,295
-1
votes
1
answer
125
views
fail2ban cannot block ip public, it works only for private ip
My server live behind the reverse proxy nginx, but the ip of the client access shows in the apache log like this, looks normal, there is no x-forward things in the log.
103.221.234.206 - - [28/Feb/...
0
votes
1
answer
298
views
Trying to understand if fail2ban is working on Debian 10 VPS
I have a Debian 10 server running on a VPS.
The only software I installed is: tinyproxy (http proxy) and fail2ban
I have included the results of port scan using nmap
I have included my specific ...
- 105
0
votes
1
answer
319
views
Fail2Ban RegEx works but filter does not
my plan is to ban all accesses to my webserver which repeatedly produce 404-errors and obviously do some scanning only
For this I tried
fail2ban-regex /var/log/apache2/otheraccess.log '^<HOST>. -...
- 121
0
votes
2
answers
685
views
Fail2Ban: RegEx to filter all 404 errors out of the Apache-log
In my logs I regularly see loads of 404-errors where bots obviously do scan the server systematically for specific software installations. As this also causes loads of traffic, I want to ban them.
So ...
- 121
1
vote
0
answers
252
views
firewalld and iptables | fail2ban
I have fail2ban 1.0.2 running on an Almalinux server. Seems to be working as hoped, but I'm puzzled by something.
have sshd.local and 00-firewalld.local in jail.d (installed fail2ban and fail2ban-...
- 151
0
votes
1
answer
634
views
fail2ban include list of ip addresses to ban
Suppose I have a .txt file containing a list of ip addresses I'd like to ban for some amount of time (so, a blacklist file of some sort). I know how do do this in Apache (for example) - simply by ...
- 151
1
vote
0
answers
66
views
iptables ignores REJECT in custom chain but works in the main chain
I configured a server with fail2ban for the smtp server. Now, fail2ban correctly bans the IPs and I can see them in the iptables chain of fail2ban. However, the kernel seems to ignore the iptables ...
- 113
0
votes
1
answer
544
views
fail2ban | difference between [sshd] in jail.local, vs sshd.local in jail.d?
AlmaLinux server -- 1.0.2 fail2ban installed. Seems to be working, but, am hoping someone can clarify something for me:
1\ working with jail.local copy of jail.conf. In said jail.local, there is a ...
- 151
0
votes
3
answers
496
views
Is firewalld needed by fail2ban?
When I install fail2ban, it also installs firewalld. After a reboot, firewalld also starts, enforcing settings on the iptables (dropping most connections accept ssh). This is frustrating as I want to ...
-1
votes
1
answer
110
views
fail2ban Jail starts but no connections are showed
I installed fail2ban on my Ubuntu server.
It seems to starts fine:
cat fail2ban.log
2023-12-07 14:55:27,758 fail2ban.server [803]: INFO --------------------------------------------------
...
1
vote
1
answer
4k
views
Issue with sshd logfile using fail2ban on minimal Ubuntu server 22.04
I am working on trying to get fail2ban set up and enabled for sshd on my VPS with Ionos. I am using a minimal Ubuntu 22.04 server install.
fail2ban has installed fine, but getting it to run seems a ...
- 11
1
vote
1
answer
152
views
fail2ban ignores <HOST> IP address and bans all incoming traffic
I'm trying to enable fail2ban on Centos 7 with Apache.
I have an app which writes to the error log a specific string when login fails.
responds with the right IP address in the Banned IP list,
> ...
- 115
0
votes
0
answers
109
views
fail2ban missed lines in my filter
I am completely new to using fail2ban. Right now I am getting a missed line error but I cannot figure out why. I have the following two files:
// /etc/fail2ban/filter.d/apache-custom.conf
[...
- 7,659
-1
votes
1
answer
677
views
Crafting regex for Fail2ban and NGINX
I'm having some trouble understanding how to craft a regex to capture probe attempts on my nginx webserver.
I would like to craft a filter to catch sites hitting certain files (by name) and/or by php ...
- 11
0
votes
0
answers
840
views
How to correctly remove entries from firewalld ipset runtime?
Running Debian 12
I have created an IPSet in the following manner:
~$ firewall-cmd --permanent --new-ipset=myipset --type=hash:ip --option=timeout=0
success
~$ firewall-cmd --reload
success
~$ ...
0
votes
1
answer
194
views
Retrieve URL / Request in a fail2ban action with nginx
I have configured fail2ban to block spam attempts with nginx. everything works but I would like to be able to retrieve the url / domain visited in my actions.
recovering the “logpath” also suits me ...
0
votes
1
answer
221
views
Banning an IP address (or subnet) on Debian (still connecting after ufw and iptables)
I know the subject of banning IP addresses have been covered multiple times but for some reason I'm failing to address/identify this one.
I am trying to identify a problem with random attacks of some ...
- 446
0
votes
1
answer
440
views
Unable to configure fail2ban to protect samba shares
With this configuration service (fail2ban) starts, logfile register wrong attempts, but still not count attempts in fail2ban-client. I suspect that there is a problem with regex, but this is the only ...
- 1
0
votes
1
answer
291
views
Creating an IPTABLES chain, whose rules are ignored, unless the packet is from a certain port?
I want to confirm the following. If I create a chain whose first rule is:
iptables -I INPUT -p tcp -m multiport --dports 25,465 -j name
Does that mean that any further specified rules in the chain, ...
- 103
1
vote
1
answer
1k
views
Fail2ban accepted the customized jail but it did not detect the event
this problem drives me crazy.
I configured a jail to prevent excessive http post to my web server.
Seems the fail2ban server accepts my new jail but nothing takes effective in the fail2ban server.
...
- 11
0
votes
1
answer
113
views
iptables string matching feasability; possible use with fail2ban
We have several Apache 2.4 web servers behind a load balancer and CDN front end - where HTTPS is terminated - we see the client IP in headers from the front end in the back end Apache logs. I'm ...
0
votes
2
answers
710
views
fail2ban on host for rootless podman keycloak container
running on Rocky Linux 9.2 with podman 4.4.1.
I got a podman Pod with keycloak + postgresql inside, running rootless. The pod itself with --network 'slirp4netns:port_handler=slirp4netns'. The keycloak ...
- 141
0
votes
1
answer
1k
views
Fail2ban apache2 access log regex
Can anyone help me with fail2ban regex
My goal is to ban any accessing .env or .php files or any request that starts with "wp-", it is a little bit confusing
and another to detect invalid ...
- 103
0
votes
2
answers
621
views
Apache Log files Fail2ban and WordPress
I am trying to get Fail2ban to block brute force and persistent xmlrpc and wp-login attacks on a WordPress site.
I have an issue with the apache logging filenames. Getting past selinux issues was ...
- 51
0
votes
1
answer
139
views
fail2ban is working but not getting email to show that sshd-ddos is running
I have fail2ban running on my server and I have three programs running: sshd, sshd-ddos and runcloud-agent. There are no error messages but when I recently restarted my server, I got an email message ...
- 117
0
votes
1
answer
78
views
Does iptables apply all rules in order when an incoming connection is received?
I'm using iptables and fail2ban to secure server connections. Currently I have connections filtered via a router passing only ports for email and webserver access and fail2ban adding restrictions ...
- 3
0
votes
2
answers
411
views
Unable to compile regular expression in Fail2Ban
I'm trying to get this regex working in Fail2Ban:
SRC=(?<ADDR>.*) DST.*(?=DPT=5003)
In a regex tester it's working very fine. When testing in Fail2Ban, I get this error:
ERROR: Unable to ...
- 23
0
votes
1
answer
342
views
Using fail2ban to scan for SSH Accepted Connections and write the username to auth.log
I have a small server that authenticate users as root using their ssh-keys stored in authorized_keys file. I also run fail2ban.
I made a convention to have a nickname written after the public_key of ...
0
votes
1
answer
462
views
linux fail2ban not catching auth a specific fail with postfix
I had journalctl open and noticed an offender repeatedly hitting me with auth fails in postfix. I have a standard postfix-sasl filter on by default that, to my knowledge, is working well.
It wasn't ...
- 119
1
vote
1
answer
316
views
Fail2Ban - Match Asterisk PJSIP Successful Authentication
I'm trying to create a fail2ban filter that will match successful authentications. An example log entry looks like this:
[2023-05-25 18:41:00] VERBOSE[26149] res_pjsip/pjsip_options.c: Contact user/...
- 427
2
votes
1
answer
573
views
Fail2ban Auto Whitelist
We use fail2ban on a number of our servers for blocking brute-force attempts against services like SSH, SMTP, IMAP, SIP, etc, and it works very well. However, we get a lot of false positives under ...
- 427
1
vote
1
answer
1k
views
fail2ban ssh not banning any IP
I started fail2ban service as sudo systemctl restart fail2ban.service, it successfully started.
But my ssh attempts with the wrong password from remote PCs are not blocking, There is no IP listed in ...
- 11
0
votes
1
answer
888
views
fail2ban ipset proper setup of jail.conf
My understanding is that running Fail2ban using ipset is faster. To that end:
I downloaded and installed per instructions (modified for Fedora 37) ritsu/ipset-fail2ban from Git.
My banaction is still ...
- 3
0
votes
1
answer
415
views
How to make an regex in Fail2ban with ip:port
First of all, English is not mu native language, so if I make a mistake don't shoot me. :)
Here's my problem: when I use every thing works fine, as soon as there is a port number or a comma direct ...
- 1
1
vote
2
answers
1k
views
Fail2ban ban action error on debian
I'm not sure where to start looking for the issue here
This is on debian 11 (using nftables)
It seems like the nft add set ... command is failing
nft add set inet f2b-table addr-set-wordpress \{ type ...
- 121