mysql-auth doesn't ban to attacker #3225
-
Hello everyone. I confured /etc/fail2ban/jail.local for ssh and other services like mysq-auth. ssh attacker have been blocked like expected. Mysql attackers are don't been banned although the log and fail2ban-regex matches exactly the attack log and type. # systemctl status fail2ban.service feb 18 14:46:16 DB_S systemd[1]: Starting Fail2Ban Service... /var/log/mysql/error.log (I was forced to configure mysql to log_error_verbosity = 3 to see the error log) Extract of /etc/fail2ban/jail.local I did try test the regexp and matches, but not banned anything # fail2ban-regex --print-all-matches /var/log/mysql/error.log /etc/fail2ban/filter.d/mysqld-auth.conf fail2ban-regex: error: no such option: --print-all-matches Running tests Use failregex filter file : mysqld-auth, basedir: /etc/fail2ban Results Failregex: 43 total Ignoreregex: 0 total Date template hits: Lines: 52 lines, 0 ignored, 43 matched, 9 missed |- Matched line(s): So, I see that everything is OK, but it doesn't work. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
What do you see in fail2ban.log for
this is set by your fail2ban distribution and could be wrong if it is set to systemd (since you need to monitor log-file and not a journal).
In fail2ban.log you'd see If you mean you may need more verbose logging you can try this:
don't forget to restore log-level back to INFO hereafter:
And last but not least - |
Beta Was this translation helpful? Give feedback.
What do you see in fail2ban.log for
mysqld-auth
?this is set by your fail2ban distribution and could be wrong if it is set to systemd (since you need to monitor log-file and not a journal).
What shows
fail2ban-client -d | grep "'add'.*mysqld-auth"
for you?If it is
['add', 'mysqld-auth', 'systemd']
then it is not correct.Set
backend = auto
there (it would use file-related backends instead).In fail2ban.log you'd see
[mysqld-auth] Found 192.0.2.1
for every finding of IP 192.0.2.1 and[mysqld-auth] Ban 192.0.2.1
for a ban.See https://github.com/fail2ban/fail2ban/…