Fail2ban jail not working - backend?

Rocky Linux General
1

I’m tired of linodeusercontent attempting to hack my server. I don’t care if it’s benign or not. I’m sick of them

I created a filter in /etc/fail2ban/filter.d/linodeuser.conf

[Definition]
failregex = .*googleusercontent.*
ignoreregex =

I then created a jail,in /etc/fail2ban/jail.local

[apache-linode]
enabled = true
filter = linodeuser
logpath = /var/log/secure
maxretry = 3
bantime = -1
action = %(action_mw)s
destemail = root@localhost

Fail2ban loads, no errors all the other jails work fine, but
fail2ban-client test linodeuser gives nme an error and all I can glean ids thet the error message has something to do with the backend (which is set to auto)

Can anyone shed light?

2

Exactly what is the error being reported?
Which version of Rocky Linux and fail2ban are in use?

Without any of these details, the best suggestion I have is for you to change your backend setting from “auto” to “systemd” then restart the fail2ban service – that was required on CentOS 7 before things would work…

3

What are backends for fail2ban? Aren’t there basically two sets:

  • The logs that it reads for events (systemd has journald, but the syslog is still around)
  • How firewall is updated (ruleset is in kernel, but to talk directly or to FirewallD – if directly, it should be nftables-based)
4

When I start the Fail2ban server, it starts fine. All the built in jails are working that are eligible most are apache For example

[apache-noscript]
enabled = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 3
bantime = -1
action = %(action_mw)s
destemail = root@localhost

There is no error BUT in the logwatch log thatere are pages and pages of errors and the jail doesn’t work. I tried changing the backend to systemd by adding the line backend - systemd in that jail and it had no effect.

I’ve also picked up another problem I’d like a jail for. My Logwatch this morning showed 52 x 404 errors with files ending in .php. Yesterday was 37

I have jail for 404 errors and it’s set to 2 retries and I catch dozens, so it works for sure… All the attempts to access files ending in .php only had one single attempt. If the same people do this every day?

I doubt even a jail to stop .php errors, if they only make one attempt it won’t stop them, but it does suck up a load of bandwidth. Is there any other way to stop these idiots.

5

Solved it. - Missing quotes should be:

[Definition]
failregex = '.*linodeusercontent.*'<HOST>
ignoreregex =

Logpath goes in jail.local - doesn’t matter what it is as long as it’s the correct one. I used logpath = %(apache_access_log)s

I also did the same for binaryedge.ninja. Google ones are OK

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.