Le 15/07/2015 06:22, E.B. a écrit : >>>> Reading the manual on fail2ban website, I see the section about required >>>> timestamps at the beginning of log lines. >> >> URL? The fail2ban wiki is not updated much, afaik. > > Main site- main link to product documentation. Should be > obvious. To me, the most prominent place new users will > go to learn about fail2ban. > > Go to fail2ban.org click on "Manual (Official Fail2ban documentation)" > Page will next have a single link on it that leads here > > http://www.fail2ban.org/wiki/index.php/MANUAL_0_8 > > So maybe it is pretty important a link is added for .9 > >>>> But people posting sample rules around the web for Nginx which >>>> has a default log format that starts with the IP address and does not start >>>> with a timestamp where the rule captures the HOST anchored to beginning >>>> of the line. >>>> >>>> Like: >>>> >>>> ^<HOST> .+ "(GET|POST)...
I, too, was really surprised to learn of such a regex when I configured my Fail2ban for HTTP some weeks ago, and asked for help. >>>> Where log line is like >>>> >>>> 1.2.3.4 - - [09/Jul/2015:13:27:50 +0100] "GET / HTTP/1.1" 200 19344 ... Like the original poster, I first thought that Fail2ban could not possibly analyse such a log line. >>>> I tried this out and it works fine (my custom filters catch and ban >>>> offending >>>> requests) without having the timestamp on front of the line and the filter >>>> regex actually gobbling up the timestamp! >>>> >>>> So was there a change in recent fail2ban version about how timestamp is >>>> handled? Can please explain? Also website need to be updated? >> >> Sort of the 'magic' of fail2ban for it to find the timestamp within >> the logline :) How the timestamp stuff is handled...not sure it's I'd love to learn about this "magic" ;-) >> been changed fundamentally in a long while. What version do you have, >> vs what you are asking about? > > I have v0.9.1, I can only guess there WAS a fundamental change > from .8 to .9, for reasons already explained above (presumably > clear to anyone who knew .8 behavior). I was hoping someone who > knows about that change can verify and explain it a bit (or show > a link to Manual v.9 series). Actually, no. I use Fail2ban v0.8.13 on Debian Jessie, and the "^<HOST>…" regex works fine for me. So the "magic" is older than that. Cheers, Yves. ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
