Re: [Fail2ban-users] Why does ^%(__prefix_line)s fail?

Wed, 30 May 2018 13:15:19 -0700 

Is there a line in sshd.conf like "before = common.conf"?

That's where the variable __prefix_line is defined:

*__prefix_line =*
%(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)?

The variable won't work in fail2ban-regex anyway - if it's not defined
(which it won't be in a command-line-based test) it won't work; if you want
to use variables like that, you're best off using a filter conf file for
the fail2ban-regex filter).

You don't necessarily need that variable - if your jail reliably,
consistently bans the right attackers, without leaving any attackers
unbanned and without banning any innocent ones, then it's fine to just use
the one that works for you.





Tony Collins
RMT Tier 1 Health & Safety Representative
Edgware Road Traincrew Depot
07949 228324

On 30 May 2018 at 20:56, Teresa e Junior <teresaejun...@gmail.com> wrote:

> I have noticed that multiple password attempts on SSH don't get blocked at
> all. While testing the regexes, I have found that my logs choke on
> "^%(__prefix_line)s"
>
> The following doesn't work:
>
> $ fail2ban-regex \
> "May 30 21:03:25 vps docker/ftps[1346]: Failed password for teresaejunior
> from 1.2.3.4 port 50714 ssh2" \
> '^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?:
> ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(,
> client user ".*", client host ".*")?))?\s*$'
>
> The following works (removed ^%(__prefix_line)s)
>
> $ fail2ban-regex \
> "May 30 21:03:25 vps docker/ftps[1346]: Failed password for teresaejunior
> from 1.2.3.4 port 50714 ssh2" \
> 'Failed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+
> ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host
> ".*")?))?\s*$'
>
> The system is Ubuntu 16.04.4 (actually, my log doesn't match against the
> new regex rules of /etc/fail2ban/filter.d/sshd.conf on Ubuntu 18.04
> either).
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to