fail2ban: add custom rule

How to add custom rule (filter + jail) for fail2ban.

1. Find regexp

First of all we need to find line in log-file with incorrect user attempt. For example line from one of my service with incorrect user password input:

Passcode incorrect; userId [100500]; 80.80.100.100

Here you can see message from service and client IP address. So we need to transform this line into regular expression and retrieve IP address. We should use <HOST> placeholder instead IP address.

Passcode incorrect; mailId \[.*\]; <HOST>

2. Create Filter

Create new filter file in filter.d directory, for example: /etc/fail2ban/filter.d/myservice.conf with your regex:

[Definition]
failregex = Passcode incorrect; mailId \[.*\]; <HOST>

If you want to exclude some lines from it, you should use ignore regex. For example:

ignoreregex = 192.168.0.1

Then test it using fail2ban-regex command:

fail2ban-regex /var/log/myservice.log /etc/fail2ban/filter.d/myservice.conf /etc/fail2ban/filter.d/myservice.conf

format: fail2ban-regex <log file> <filter> <ignore-filter>

So if you using ignore regex, you should define third param (the same filename)! Otherwise your ignore regex will not be tested!

Then you get something like this:

Lines: 15390 lines, 1 ignored, 5 matched, 15384 missed

3. Create Rule

Create new file in jail.d directory, for example myservice.conf with your rule:

# service name
[myservice]
# turn on /off
enabled  = true
# ports to ban (numeric or text)
port     = http,https
# filter from previous step
filter   = myservice
# file to parse
logpath  = /var/log/myservice.log
# ban rule:
# 5 times on 1 minute
maxretry = 5
findtime = 60
# ban on 10 minutes
bantime = 600

Test it:

# test it:
service fail2ban restart
fail2ban-client status
fail2ban-client status myservice

See also:

 

Tagged with:

Leave a Reply

Your email address will not be published.