Re: [Fail2ban-users] issue matching date/time in epoch format when not at beginning of the line

Bill Shirley Sat, 20 Jan 2018 17:05:37 -0800

See what data patterns fail2ban is using.  Run fail2ban-regex
(change for your log file and filter) with the -v switch:
fail2ban-regex -v /var/log/httpd/access_log 
/etc/fail2ban/filter.d/my_apache_access.conf


I have a server using version0.9.3 which gives:
Date template hits:
|- [# of hits] date format
|  [128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
|  [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 
24hour:Minute:Second(?:,Microseconds)?
|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
|  [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ 
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] Month/Day/Year:24hour:Minute:Second
|  [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
|  [0] TAI64N
|  [0] Epoch
|  [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
|  [0] ^24hour:Minute:Second
|  [0] ^<Month/Day/Year2@24hour:Minute:Second>
|  [0] ^Year2MonthDay  ?24hour:Minute:Second
|  [0] MON Day, Year 12hour:Minute:Second AMPM
|  [0] ^MON-Day-Year2 24hour:Minute:Second

I would think 'Epoch' would match but I can't find anything online that defines
the date pattern.

I had to add a datepattern= to my_apache_access filter when I upgraded
to fail2ban 10.0 because they changed the date patterns requiring dates
to be at the beginning of the line:
# new date patterns for fail2ban-server-0.10.0-1
#|  [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day[T 
]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
#|  [0] {^LN-BEG}(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: 
ExYear)?
#|  [0] {^LN-BEG}(?:DAY )?MON Day ExYear 24hour:Minute:Second(?:\.Microseconds)?
#|  [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) 
24hour:Minute:Second
#|  [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ 
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
#|  [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
#|  [0] {^LN-BEG}Month-Day-ExYear 24hour:Minute:Second(?:\.Microseconds)?
#|  [0] {^LN-BEG}Epoch
#|  [0] {^LN-BEG}ExYear2ExMonthExDay ?24hour:Minute:Second
#|  [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
#|  [0] {^LN-BEG}ExYearExMonthExDay[T 
]Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
#|  [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day 
24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#|  [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day 
24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#|  [0] {^LN-BEG}TAI64N
#|  [0] {^LN-BEG}24hour:Minute:Second
#|  [0] ^<Month/Day/ExYear2@24hour:Minute:Second>
#|  [0] ^MON-Day-ExYear2 24hour:Minute:Second

Ah, I finally found it:
https://docs.python.org/2/library/datetime.html#strftime-strptime-behavior

Bill


On 1/20/2018 2:37 PM, Guiom wrote:

- Fail2Ban version (including any possible distribution suffixes): Fail2ban 
v0.9.3
- OS, including release name/version: Ubuntu 16.04.3 LTS
- [X] Fail2Ban installed via OS/distribution mechanisms
- [X] You have not applied any additional foreign patches to the codebase
- [ ] Some customizations were done to the configuration (provide details below 
is so)

### The issue: unable to match log entry if timestamp is in epoch format and 
not at the beginning of the line

_Summary here_

the offending log entry:
109.145.30.225 | AuthenticationFailureEvent | guiom | 1516469849551 | guiom | {"authentication-method":"form","error":"Invalidusername or password."} | @P8404Gx1057x12380x0 | 1p1yp8q
this is Bitbucket server. The timestamp is in column 4 (assuming | separators)

jail.conf matches the entry but cannot extract the date:
2018-01-20 17:37:29,555 fail2ban.filter [3271]: WARNING Found a match for '109.145.30.225 | AuthenticationFailureEvent | guiom| 1516469849551 | guiom | {"authentication-method":"form","error":"Invalid username or password."} | @P8404Gx1057x12380x0 |1p1yp8q' but no valid date/time found for '109.145.30.225 | AuthenticationFailureEvent | guiom | 1516469849551 | guiom |{"authentication-method":"form","error":"Invalid username or password."} | @P8404Gx1057x12380x0 | 1p1yp8q'. Please try settinga custom date pattern (see man page jail.conf(5)). If format is complex, please file a detailed issue onhttps://github.com/fail2ban/fail2ban/issues in order to get support for this format.
[Definition]
failregex = <HOST>  | AuthenticationFailureEvent | .*Invalid username or 
password

ignoreregex =





Phronesis_logo <https://www.phronesis.tech>       
Dr Guillaume Peersman
m:      +447976918568 e: gu...@peersman.fr <mailto:gu...@peersman.fr>
a:      37 Great Pulteney Street, Bath, Avon, BA2 4DA
linkedin <https://www.linkedin.com/in/dr-guillaume-peersman> skype <skype:gpeersman?userinfo> PGP Key<https://dl.dropboxusercontent.com/s/thav64fg0o1fj7v/Dr%20Guillaume%20Peersman%20%281F05BFB1%29%20%E2%80%93%20%40phronesis.net%20-%20Public.asc?dl=0>
/Phronesis Technologies Limited is a company registered in England under number 
10726796./




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] issue matching date/time in epoch format when not at beginning of the line

Reply via email to