Filter for MariaDB #4018

robotrono · 2025-06-17T12:09:57Z

robotrono
Jun 17, 2025

I have the following Fail2Ban filter for MariaDB:

[mysqld-auth]
enabled = true
filter   = mysqld-auth
port     = 3306
maxretry = 3
bantime = 600
logpath  = /var/log/mariadb/mariadb.log

And when doing failed tests when accessing a database the status does not show anything:

Status for the jail: mysqld-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Can anyone tell me if the filter is correct?

mariadb.log is:

2025-06-16 8:38:22 5 [Warning] Access denied for user 'db'@'ip' (using password: YES)

Answered by sebres

Jun 17, 2025

2025-06-16 8:38:22 5 [Warning] Access denied for user 'db'@'ip' (using password: YES)

If the ip is really IP (just "blackened"), then it shall work (at least works with current filter).

PoC (test with fail2ban-regex)...

$ fail2ban-regex "2025-06-16  8:38:22 5 [Warning] Access denied for user 'db'@'192.0.2.100' (using password: YES)" mysqld-auth

Running tests
=============

Use             jail : mysqld-auth
Use      datepattern : {^LN-BEG} : Default Detectors
Use      single line : 2025-06-16  8:38:22 5 [Warning] Access denied for ...

...

Lines: 1 lines, 0 ignored, 1 matched, 0 missed

Journal matches:

This means your jail monitoring systemd journal and not the log-file (probably …

View full answer

sebres · 2025-06-17T12:33:35Z

sebres
Jun 17, 2025
Maintainer

2025-06-16 8:38:22 5 [Warning] Access denied for user 'db'@'ip' (using password: YES)

If the ip is really IP (just "blackened"), then it shall work (at least works with current filter).

PoC (test with fail2ban-regex)...

$ fail2ban-regex "2025-06-16  8:38:22 5 [Warning] Access denied for user 'db'@'192.0.2.100' (using password: YES)" mysqld-auth

Running tests
=============

Use             jail : mysqld-auth
Use      datepattern : {^LN-BEG} : Default Detectors
Use      single line : 2025-06-16  8:38:22 5 [Warning] Access denied for ...

...

Lines: 1 lines, 0 ignored, 1 matched, 0 missed

Journal matches:

This means your jail monitoring systemd journal and not the log-file (probably your default backend is systemd)...
If it must monitor the log-file instead, just add backend = auto to the jail (and then reload config with ?sudo? fail2ban-client reload).

2 replies

robotrono Jun 17, 2025
Author

I see, it worked! Thank you very much!

One more question:
All logs for Fail2Ban to be able to read them must necessarily be located in this directory: /var/log ?

sebres Jun 17, 2025
Maintainer

All logs for Fail2Ban to be able to read them must necessarily be located in this directory: /var/log ?

Basically no, but...

In certain cases it may depend... Normally, fail2ban runs as root (and shall have all the needed permissions), but...

if it is nevertheless rootless for some reason, then fail2ban user shall be able to traverse the paths and read the logfile (so would need the related permissions)
if there is SELinux (or similar thing that may additionally control file and directory accesses), the path must be allowed via its policy rules.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Filter for MariaDB #4018

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Filter for MariaDB #4018

Uh oh!

robotrono Jun 17, 2025

Replies: 1 comment · 2 replies

Uh oh!

sebres Jun 17, 2025 Maintainer

Uh oh!

robotrono Jun 17, 2025 Author

Uh oh!

sebres Jun 17, 2025 Maintainer

robotrono
Jun 17, 2025

Replies: 1 comment 2 replies

sebres
Jun 17, 2025
Maintainer

robotrono Jun 17, 2025
Author

sebres Jun 17, 2025
Maintainer