Hey! Im new on the forum, Could someone please help me with the regex to this logfile [21/Feb/2014:18:51:17] Login failed from 192.168.1.19, username: admin, login: im trying this: failregex = Login failed from <HOST>$ .* Blocked Login attempt for .* from <HOST>$ Blocked username enumeration attempt from <HOST>$ My jail.conf: enabled = true port = http,https filter = pellmon-auth logpath = /usr/local/var/log/pellmonweb/error.log maxretry = 3 bantime = 84600 the jail is starting and i receive the startmail and faillogin is written to the above file But the IP will not being banned! Could anyone se the obvious missing in the failregex
Shouldn't it be: Code: [Definition] failregex = ^\s*Login failed from <HOST>, username: admin, login:
Thank you! but there is plausible one other thing that I haved messed up to;-) in my logfile : /usr/local/var/log/pellmonweb/error.log this will happen if I try to login with empty feilds: [22/Feb/2014:18:38:45] Login failed from 192.168.1.10, username: , password: my pellmon-auth.conf: Code: # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision$ # [Definition] # Option: failregex # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT failregex = ^\s*Login failed from <HOST>, username: admin, login: # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = and in my jail.conf: Code: [apache-Pellmon] enabled = true port = http,https,8081 filter = pellmon-auth logpath = /usr/local/var/log/pellmonweb*/*error.log maxretry = 3 bantime = 84600 What am I missing?
then maybe just: Code: [Definition] failregex = ^\s*Login failed from <HOST>,* not really sure though
nope, sorry, I´m running this pellmon on cherrypy webserver instead och apache2, which I run all my other things on, But this could not be the problem?? or have I done some other failure in the pointings or something else obvious in the config in my earlier post
you need to have the right regex.... I think the example I posted should work but I'm not really good at regex either.
hey again! it should be in this way on my version, failregex = ^.*Login failed from <HOST>, a "." instead of "\s" upnrunning, thank you for your support!
