Hi, fail2ban is not banning roundcube failed logins. I do fail2ban-regex /var/log/roundcube/errors.log roundcube-auth fail2ban-regex says " Lines: 67 lines, 0 ignored, 7 matched, 60 missed" so the regex is correct. There are 7 failed logins in errors.log The others jails are working. roundcube jail: Code: [roundcube-auth] enabled = true port = 80,443 logpath = /var/log/roundcube/errors.log maxretry = 1 findtime = 10800 bantime = 300 Expand: output from fail2ban-regex Results ======= Prefregex: 19 total | ^\s*(\[\])?(\S+\s*(?:roundcube(?:\[(\d*)\])??\s*(<[\w]+>)? IMAP Error)?: (?P<content>.+)$ `- Failregex: 7 total |- #) [# of hits] regular expression | 1) [7] ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(??:\([^\)]*\))?\. (??! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [19] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? `- Lines: 67 lines, 0 ignored, 7 matched, 60 missed [processed in 0.01 sec] Missed line(s): too many to print. Use --print-all-missed to print all 60 lines Expand: filter.d/roundcube-auth.conf # Fail2Ban configuration file for roundcube web server # # By default failed logins are printed to 'errors'. The first regex matches those # The second regex matches those printed to 'userlogins' # The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php # # The logpath in your jail can be updated to userlogins if you wish # [INCLUDES] before = common.conf [Definition] prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])??\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$ failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(??:\([^\)]*\))?\. (??! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$ ^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$ ignoreregex = Could not connect to .* Connection refused # journalmatch = SYSLOG_IDENTIFIER=roundcube # DEV Notes: # # Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180 # # Part after <HOST> comes straight from IMAP server up until the " in ....." # Earlier versions didn't log the IMAP response hence optional. # # DoS resistance: # # Assume that the user can inject "from <HOST>" into the imap response # somehow. Write test cases around this to ensure that the combination of # arbitrary user input and IMAP response doesn't inject the wrong IP for # fail2ban # # Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens Expand: status for jail roundcube-auth Status for the jail: roundcube-auth |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: What can I do?
Are these lines in the log recent? I ask because the bantime is set to 300 which means 5 minutes. If these log entries are older than that, it would explain why there are no bans listed. Check the timstampts and then what is the output of "tail -n 100 /var/log/roundcube/errors | fail2ban-regex - /etc/fail2ban/filter.d/roundcube-auth.conf"
Oh. my fault. There was a whitelisting for the IP I tried to simulate wrong logging. :-( Sorry :-( But I have the same problem with named-refused and these IP addresses are not from me. Also the timestamps there are ok. When I do "fail2ban-client -vvv set named-refused banip 2.3.4.5" in iptables I get -A f2b-named-refused -s 2.3.4.5/32 -j DROP -A f2b-named-refused -j RETURN Expand: jail named-refused [named-refused] enabled = true # next two lines after hints in jail.conf with different log locations backend = polling journalmatch = port = domain,953 protocol = tcp filter = named-refused logpath = /var/log/named/security_info.log ignoreip = 127.0.0.1/8 192.168.1.1/24 maxretry = 1 findtime = 10800 bantime = 1h Expand: regex-test named-refused Running tests ============= Use failregex filter file : named-refused, basedir: /etc/fail2ban Use log file : /var/log/named/security_info.log Use encoding : UTF-8 Results ======= Prefregex: 29 total | ^\s*(?:\S+ (??:\[\d+\])?:\s+\(?named(?:-\w+)?(?:\(\S+\))?\)?:?|\(?named(?:-\w+)?(?:\(\S+\))?\)?:?(?:\[\d+\])?\s+)?(??!error|info)[\w-]+: )?(??:error|info):\s*)?client(?: @\S*)? (?:\[?(??:::f{4,6}?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|:{1,7}(?:[0-9a-fA-F]{1,4}|(?<=))\]?|(?P<dns>[\w\-.^_]*\w))#\S+(?: \([\S.]+\))?: (?P<content>.+)\s(?:denied|\(NOTAUTH\))\s*$ `- Failregex: 29 total |- #) [# of hits] regular expression | 2) [29] ^zone transfer `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [4588] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? `- Lines: 4588 lines, 0 ignored, 29 matched, 4559 missed [processed in 0.16 sec] Missed line(s): too many to print. Use --print-all-missed to print all 4559 lines
