I have trouble setting up fail2ban to check the nginx error log for failed http auth entries. Even though the provided failregex works, fail2ban just seems to skip the jail config.
I've already tried setting loglevel to 4, but there's no info about any failure regarding the nginx jail. Also I figured the timestamp in the logfiles has to match the system time, which is of course the case already.
Strangely the other jail I have setup (ssh) works perfect. I'm out of ideas, maybe you got one. Here is hopefully all the info you need. Thanks.
fail2ban.conf
[Definition]
loglevel = 3
logtarget = /var/example/logs/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock
jail.conf
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 60
findtime = 600
maxretry = 3
backend = auto
[ssh-iptables]
enabled = true
filter = sshd
action = iptables-allports[name=SSH, protocol=all]
logpath = /var/log/auth.log
[nginx]
enabled = true
filter = nginx-auth
action = iptables-allports[name=nginx, protocol=all]
logpath = /var/example/logs/nginx-error.log
filter.d/nginx-auth.conf
[Definition]
failregex = no user/password was provided for basic authentication.*client: <HOST>
user .* was not found in.*client: <HOST>
user .* password mismatch.*client: <HOST>
ignoreregex =
fail2ban-regex /var/example/logs/nginx-error.log /var/example/config/fail2ban/filter.d/nginx-auth.conf
Running tests
=============
Use regex file : /var/example/config/fail2ban/filter.d/nginx-auth.conf
Use log file : /var/example/logs/nginx-error.log
Results
=======
Failregex
|- Regular expressions:
| [1] no user/password was provided for basic authentication.*client: <HOST>
| [2] user .* was not found in.*client: <HOST>
| [3] user .* password mismatch.*client: <HOST>
|
`- Number of matches:
[1] 60 match(es)
[2] 0 match(es)
[3] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
192.168.153.1 (Fri Sep 02 14:07:54 2011)
192.168.153.1 (Fri Sep 02 14:07:54 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:04 2011)
192.168.153.1 (Fri Sep 02 14:08:04 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:08 2011)
192.168.153.1 (Fri Sep 02 14:08:09 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:12 2011)
192.168.153.1 (Fri Sep 02 14:08:12 2011)
[2]
[3]
Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
240 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 60
Best Answer
I had the same problem - turns out that it was a timezone issue.
I was on GMT when syslogd/sshd were started, so /var/log/secure and /var/log/messages wrote their timestamps in GMT. However, I since fixed the tzdata to my local timezone and then started fail2ban. Now fail2ban was confused because all the events were 7 hours ahead of its time, and as such not within the "findtime" range.
The simple solution was to simply restart syslogd and sshd so they'd pick up the new timezone. Now fail2ban blocks like a champ.