Fail2ban doesn't read IP from logfile

asked 2018-03-08 03:43:16 -0500

Woti gravatar image

I'm using Fedora 27 server edition with Nextcloud 13 installed. I followed this guide to harden both apache and Nextcloud and to get A+ as well as to get working Let's encrypt. This was working very well and the results was as expectet but I do not get fail2ban to read IP's in the var/log/nextcloud/nextcloud.log file. I've createt filter nextcloud.conf and jail nextcloud.local as described. The jail is running too:

fail2ban-client status Status |- Number of jail: 1 `- Jail list: nextcloud Nextcloud jail ist aktiv.

fail2ban-client status nextcloud Status for the jail: nextcloud |- Filter | |- Currently failed: 0 | |- Total failed: 0 | - File list: /var/log/nextcloud/nextcloud.log - Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: At least, one IP should be banned here.

fail2ban-regex /var/log/nextcloud/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [5] ExYear(?P[-/.])Month(?P=_sep)Day[T ]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 5 lines, 0 ignored, 0 matched, 5 missed |- Missed line(s): Here follows the same content as in the nextcloud.log file. I don't know whether it is right or not.

I can try myself with wrong logins in the Nextcloud login but I just get a time out after 5 wrong attempts. Everything is written in det nextcloug.log but fail2ban does nothing. I've realized that SELinus is blocking fail2ban-server for waching /var/log/nextcloud. I need a policy her? If I setenforce 0 fail2ban-server is watching but nothing happens anyway.

Best regards, Woti

edit retag flag offensive close merge delete


fail2ban-regex should show you the results if you had your fail2ban filter configured and log with matching message. Regex from the guide you used looks for lines with "Login failed" in the log, try to check if there are actually such lines in the log.

pessoft gravatar imagepessoft ( 2018-03-08 15:36:39 -0500 )edit