I just installed a new php application on the servers which logs login attempts. Now I want fil2ban to ban an IP if it exceeds a specified amount of logins. So I looked up the log entry: Code: [Sat May 1 17:17:23 2010][Notice][Kernel::System::Auth::DB::Auth] User: root@localhost authentication with wrong Pw!!! (REMOTE_ADDR: 192.168.178.25) So I added a new filter like so: Code: [Definition] failregex = [.*][Notice][Kernel::System::Auth::DB::Auth] User: .* authentication with wrong Pw!!! (REMOTE_ADDR: <HOST>) ignoreregex = But it just doesnt ban the IP after the set amount of failed login attempts. The jail is being started when I restart fail2ban. Any ideas why this doesnt work? Thanks EDIT: It already works! The working regex is: Code: \[.*\]\[Notice\]\[Kernel::System::Auth::DB::Auth\] User: .* authentication with wrong Pw!!! \(REMOTE_ADDR: <HOST>\) One question though, can I specify more than one failregex'es in one filter file? Because the program I want to monitor logs different messages for unknown username/ unknown password. Or do I have to create a second jail for that?
You can do it as follows (just an example): Code: failregex = [[]client <HOST>[]] user .* authentication failure [[]client <HOST>[]] user .* not found [[]client <HOST>[]] user .* password mismatch
