Fail2ban regex working but not banning. DNS warning instead
I had the following problem (already solved) with fail2ban and misplaced it on stack overflow so I'm putting it here now.
So, I've been reading issues for some days and don't seem to find a solution anywhere. I'm making some tests on a web server lab, I have set up two VMs (Ubuntu 20.04) server and client. On the server I have a PHP login app configured to give me this log whenever someone fails to log in.
root@local:/var/log/apache2# tail -f error.log
[Fri Jun 18 10:13:37.657446 2021] [php7:notice] [pid 2465] [client 192.168.1.11:44750] [error] failed login, referer: http://192.168.1.10/index.php
[Fri Jun 18 10:13:41.434454 2021] [php7:notice] [pid 2465] [client 192.168.1.11:44750] [error] failed login, referer: http://192.168.1.10/index.php
[Fri Jun 18 10:13:46.236750 2021] [php7:notice] [pid 2465] [client 192.168.1.11:44750] [error] failed login, referer: http://192.168.1.10/index.php
And Fail2Ban v0.10.2 configured to catch it. /etc/fail2ban/jail.local:
[login-ban]
enabled = true
port = http,https
filter = login-ban
logpath = /var/log/apache2/error.log
maxretry = 3
findtime = 180
bantime = 60
/etc/fail2ban/filter.d/login-ban.conf:
[Definition]
failregex = ^\[.*\]\s\[.*]\s\[.*].*\[client.*<HOST>\].*\[error\].*
ignoreregex =
Now, the regex works perfectly, if I check with fail2ban-regex:
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/login-ban.conf --print-all-matched
I get
|- Matched line(s):
| [Fri Jun 18 10:36:07.312503 2021] [php7:notice] [pid 780] [client 192.168.1.11:44754] [error] failed login, referer: http://192.168.1.10/index.php
| [Fri Jun 18 10:36:14.417955 2021] [php7:notice] [pid 784] [client 192.168.1.11:44756] [error] failed login, referer: http://192.168.1.10/index.php
But fail2ban is not banning the IP and the fail2ban.log is throwing me a DNS warning:
2021-06-18 10:50:22,083 fail2ban.ipdns [2154]: WARNING Determined IP using DNS Lookup: 8 = {'0.0.0.8'}
2021-06-18 10:50:22,085 fail2ban.filter [2154]: INFO [login-ban] Found 0.0.0.8 - 2021-06-18 10:50:22
I've tried setting the usedns parameter to 'no' and to 'raw' the only thing that accomplished was getting rid of the dns warning log, still no banning and not recording the host that was trying to login.
I hope this is enough info, and that this will help someone out there as much as me.
SOLUTION
User @sebres answered me:
just stop to use catch-alls (.* etc), e. g. one correction to make it work could be
- ... \[client.*<HOST>\] ...
+ ... \[client <HOST>:\d+\] ...
RE .* is greedy, so it matches as many chars as possible, and <HOST> can match anything (hostname), not the address only, and better use <ADDR> instead, if your fail2ban version >= 0.10.
And your whole expression is "vulnerable" due to several catch-alls (so the anchor does not really taken).
*** So I made the change he suggested, it ended up like this:
^\[.*\[client <ADDR>:\d+\].*\[error\].*
now everything is working as it should. Hope it helps!