fail2ban fails to ban
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fail2ban (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Some months ago I set up a server with fail2ban for ssh and wordpress. Initially it worked but since then it seems to have stopped working correctly and now nothing is ever banned.
The only modifed config files are filter.
wordpress.filter:
# Fail2Ban configuration file
#
# Author: Charles Lecklider
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = wordpress
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{
# Values: TEXT
#
failregex = ^%(__prefix_
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
jail.local:
[DEFAULT]
ignoreip = 127.0.0.0/8 83.104.131.111
[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/auth.log
port = http
protocol = tcp
bantime = 3600
maxretry = 10
Running:
fail2ban-regex -v auth.log /etc/fail2ban/
shows many hits from the same IP a few seconds apart, which should definitely have triggered a ban. For example:
| 82.165.145.148 Wed Dec 31 05:17:24 2014
| 82.165.145.148 Wed Dec 31 05:17:27 2014
| 82.165.145.148 Wed Dec 31 05:17:30 2014
| 82.165.145.148 Wed Dec 31 05:17:32 2014
| 82.165.145.148 Wed Dec 31 05:17:36 2014
| 82.165.145.148 Wed Dec 31 05:17:39 2014
| 82.165.145.148 Wed Dec 31 05:17:42 2014
| 82.165.145.148 Wed Dec 31 05:17:44 2014
| 82.165.145.148 Wed Dec 31 05:17:48 2014
| 82.165.145.148 Wed Dec 31 05:17:51 2014
| 82.165.145.148 Wed Dec 31 05:17:54 2014
| 82.165.145.148 Wed Dec 31 05:17:56 2014
| 87.106.151.114 Wed Dec 31 05:17:56 2014
| 82.165.145.148 Wed Dec 31 05:17:59 2014
| 87.106.151.114 Wed Dec 31 05:17:59 2014
| 87.106.151.114 Wed Dec 31 05:18:02 2014
| 87.106.151.114 Wed Dec 31 05:18:06 2014
| 87.106.151.114 Wed Dec 31 05:18:08 2014
| 87.106.151.114 Wed Dec 31 05:18:12 2014
| 87.106.151.114 Wed Dec 31 05:18:16 2014
| 87.106.151.114 Wed Dec 31 05:18:19 2014
| 87.106.151.114 Wed Dec 31 05:18:21 2014
| 82.165.145.148 Wed Dec 31 05:19:06 2014
| 82.165.145.148 Wed Dec 31 05:19:10 2014
| 82.165.145.148 Wed Dec 31 05:19:13 2014
| 82.165.145.148 Wed Dec 31 05:19:15 2014
| 82.165.145.148 Wed Dec 31 05:19:18 2014
| 82.165.145.148 Wed Dec 31 05:19:22 2014
| 82.165.145.148 Wed Dec 31 05:19:25 2014
| 82.165.145.148 Wed Dec 31 05:19:27 2014
| 82.165.145.148 Wed Dec 31 05:19:30 2014
However my /var/log/
2014-12-28 06:25:04,457 fail2ban.server : INFO Changed logging target to /var/log/
- Indicating no bans at all took place in the past three days.
Similar bugs are also reported by others in various places such as stack exchange, for example:
http://
http://
https:/
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: fail2ban 0.8.11-1
ProcVersionSign
Uname: Linux 3.13.0-35-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Thu Jan 1 21:47:00 2015
PackageArchitec
SourcePackage: fail2ban
UpgradeStatus: No upgrade log present (probably fresh install)
Possibly related:
https:/ /github. com/fail2ban/ fail2ban/ issues/ 44