If it is any consolation, I've been struggling with fail2ban-regex and
but I have not been able to get to the bottom of it. I could not even
get it to match ".* <host>$" or even " <host>$". (using 0.9.2) :(
Nick
On 2016-02-22 08:30, Ralf G. R. Bergs wrote:
> Hi Yaroslav, all.
>
> On 2016-02-22 01:08 , Yaroslav Halchenko wrote:
>> On Sun, 21 Feb 2016, Ralf G. R. Bergs wrote:
>>
>>> Hi guys,
>>> I'm using Debian stable and can't get fail2ban working properly...
>>> :-(
>>> The loglines I want to catch look like this:
>>>> 2016-02-20T16:38:57.744887+00:00 hostname sshd[25454]: Invalid user
>>>> hugo from 2001:123:4567:2c1:fc53:64af:4c60:aa36
>> There is no IPv6 support yet in Fail2Ban, so nothing would match
>>
> Good to know (although a bit disappointing that no IPv6 support yet...)
>
> But still not even IPv4 addresses are matched...
>
> Here's a copy of my original message:
>> The loglines I want to catch look like this:
>>> 2016-02-20T16:38:57.744887+00:00 hostname sshd[25454]: Invalid user
>>> hugo from 2001:123:4567:2c1:fc53:64af:4c60:aa36
>> So I put the following into common.local to overwrite the two macros
>> in
>> common.conf:
>>> [DEFAULT]
>>> # 2016-02-21T20:37:22.417208+00:00
>>> __timestamp_re =
>>> \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+\d{2}:\d{2}
>>> # 2016-02-21T20:37:22.417208+00:00 hostname sshd[28085]:
>>> __prefix_line =
>>> %(__timestamp_re)s\s+%(__hostname)s\s+%(__daemon_combs_re)s:\s+
>> Still:
>>> # fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
>>>
>>> Running tests
>>> =============
>>>
>>> Use failregex file : /etc/fail2ban/filter.d/sshd.conf
>>> Use log file : /var/log/auth.log
>>>
>>>
>>> Results
>>> =======
>>>
>>> Failregex: 0 total
>>>
>>> Ignoreregex: 0 total
>>>
>>> Date template hits:
>>> |- [# of hits] date format
>>> | [44538] ISO 8601
>>> `-
>>>
>>> Lines: 44538 lines, 0 ignored, 0 matched, 44538 missed
>>> Missed line(s): too many to print. Use --print-all-missed to print
>>> all 44538 lines
>> Any idea why my regexp is not working?
> Can you please help me finding out how to get this working? Is my
> approach correct (assuming the inheritance as described above)?
>
> Kind regards,
>
> Ralf
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
