My Fail2Ban filter doesn't appear to be working

0
votes

I'm trying to use the fail2ban-regex command to test my filter and regex, but it doesn't seem to be having any luck. I used a tutorial to demonstrate how to use the Devise gem with Rails to log failed logins.

Here's my /etc/fail2ban/filter.d/core.conf file:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $

and then here's what I have in my /etc/fail2ban/jail.conf file.

[core]
enabled = true
filter  = core
port    = http,https
logpath = /home/rails/Documents/rails_app/devise.log
bantime = 3600
findtime = 600
maxretry = 2

And here's an example output from the devise.log file that Rails created:

# Logfile created on 2018-09-26 16:19:41 -0500 by logger.rb/61378
E, [2018-09-26T16:19:41.353620 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:19:41Z
E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:17Z
E, [2018-09-26T16:27:19.706783 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:19Z
E, [2018-09-26T16:27:21.504956 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:21Z
E, [2018-09-26T16:27:23.193147 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:23Z

It's exactly what was used in the tutorial. However, when I submitted invalid login attempts, nothing happened.

Here's the result of my fail2ban-regex command:

[myuser:ubuntu:/etc/fail2ban/filter.d]$ fail2ban-regex /home/rails/Documents/rails_app/devise.log "^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $"

Running tests
=============

Use   failregex line : ^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $
Use         log file : /home/rails/Documents/rails_app/devise.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [13] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 13 lines, 0 ignored, 0 matched, 13 missed
[processed in 0.02 sec]

|- Missed line(s):
|  E, [2018-09-26T16:19:41.353620 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:19:41Z
|  E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:17Z
|  E, [2018-09-26T16:27:19.706783 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:19Z
|  E, [2018-09-26T16:27:21.504956 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:21Z
|  E, [2018-09-26T16:27:23.193147 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:23Z
|  E, [2018-09-26T16:27:24.959032 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:24Z
|  E, [2018-09-26T16:27:26.661292 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:26Z
|  E, [2018-09-26T16:27:28.297408 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:28Z
|  E, [2018-09-26T16:27:30.179503 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:30Z
|  E, [2018-09-26T16:27:31.940616 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:31Z
|  E, [2018-09-26T16:32:42.579173 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:32:42Z
|  E, [2018-09-26T16:32:44.817088 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:32:44Z
|  E, [2018-09-26T16:32:46.660918 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:32:46Z

Not sure why this isn't working. Any suggestions by chance? I've tried to manipulate my regex, but still no luck.

EDIT

It literally seems like Fail2Ban is broken or I'm just completely screwing up the Regex. I've reduced my devise.log file to just a single line containing an IP address, and reduced my filter down to just this:

[INCLUDES]
before = common.conf

[Definition]
failregex = <HOST>

and it STILL doesn't even find the IP address:

[myuser:ubuntu:/etc/fail2ban/filter.d]$ fail2ban-regex /home/rails/Documents/rails_app/devise.log core.conf

Running tests
=============

Use   failregex filter file : core, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /home/rails/Documents/rails_app/devise.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]

|- Missed line(s):
|  172.16.38.1
`-
1
ruby-on-railsfail2ban

1 Answers

0
votes

In your log you have lines that look like this:

E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:17Z

And your regex is missing the ending with this part: 2018-09-26T21:27:17Z at the end of the lines. So you need to modify your regex as follows:

failregex = ^.* (\[.*\])* ERROR -- \: Failed login for '.*' from <HOST> at .*$

Here you can test your regexes. Just remember to replace <HOST> with \d+\.\d+\.\d+\.\d+ on regex site and then back to <HOST> in your conf files.

Let me know if it helped.