From e3319bc753d33c2cb83ed47f068f3bbba8b91a69 Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Fri, 20 Oct 2017 12:34:21 +0200 Subject: [PATCH] small enhancements (datepattern, timezone, etc.) --- How-fail2ban-works.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/How-fail2ban-works.md b/How-fail2ban-works.md index ad1faff..67300cb 100644 --- a/How-fail2ban-works.md +++ b/How-fail2ban-works.md @@ -17,8 +17,12 @@ Each failure (attempt) will be logged in `fail2ban.log` as:
` INFO [jail] Found 192.0.2.25`
First if you'll see at least 5 such lines with this IP address within 10 minutes, the IP goes banned and you should see:
` NOTICE [jail] Ban 192.0.2.25`
+- no matching date-time pattern or wrong date-time pattern specified for the jail resp. filter via `datepattern`, thus it does not match the log-line at all; +- be careful with `%` character in fail2ban configurations (because of the python-config, it should be dual-escaped `%%`); +- note the time of values that fail2ban recognizes from the log-file will be converted using the system time zone (if not specified different) - be sure that the times, written from the corresponding service into the log, are not too old for the fail2ban; - each failure should match a regular expressions (from stock fail2ban or local customized in jail.local, some filter from `/etc/fail2ban/filter.d`, etc). It may be, that the expression or some part of it is not good enough. You can use another fail2ban tool `fail2ban-regex` to check resp. build your own `failregex`. +Note: fail2ban tries to search the match not the original string - the datetime value (matched `datepattern`) will be cut out from it before searching. - the banning action is not specified resp. something going wrong by execution of the ban-action. For example if iptables action used, you can verify it by checking of iptables entries, where you should find the fail2ban jail name (prefixed with `f2b-`) as chain and the rule corresponding the IP address.
Mostly you'll see then too many log-lines like following in the `fail2ban.log`:
` NOTICE [jail] 192.0.2.25 already banned`