Cool, we are on the right track :) That means that it is only required to adjust regex itself so it will catch what’s required.
I’ll try to look at this again a bit later, meanwhile try to adjust the regex here: https://regex101.com/ <https://regex101.com/> Copy-paste several log lines (from your first mail, for instance) and then play with regex in the top line. Denis. > On 12 Apr 2019, at 14:03, James Brown <[email protected]> wrote: > > That’s better - no errors. > > But doesn’t find anything: > > $ fail2ban-regex /private/var/log/stunnel.log > /usr/local/etc/fail2ban/filter.d/stunnel.conf > > Running tests > ============= > > Use failregex filter file : stunnel, basedir: /usr/local/etc/fail2ban > Use maxlines : 2 > Use datepattern : Default Detectors > Use log file : /private/var/log/stunnel.log > Use encoding : UTF-8 > > > Results > ======= > > Failregex: 0 total > > Ignoreregex: 0 total > > Date template hits: > |- [# of hits] date format > | [210156] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| > ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? > `- > > Lines: 210156 lines, 0 ignored, 0 matched, 210156 missed > [processed in 8.19 sec] > > Missed line(s): too many to print. Use --print-all-missed to print all > 210156 lines > > > James. > >> On 12 Apr 2019, at 9:54 pm, Denis Rasulev <[email protected] >> <mailto:[email protected]>> wrote: >> >> That's what I thought. That is why parser does not recognize >> '%(__on_port_opt)' >> Add this section to the top of stunnel.conf file and test it again. >>> [INCLUDES] >>> before = common.conf >> >> Denis >> >> On Fri, Apr 12, 2019 at 1:50 PM James Brown <[email protected] >> <mailto:[email protected]>> wrote: >> Stunnel.conf file: >> >> >> No mention of ‘before = common.conf’ >> >> James. >> >> >>> On 12 Apr 2019, at 9:37 pm, Denis Rasulev <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> James, >>> >>> Is it possible to share your stunnel.conf file? >>> >>> I just want to make sure that there you have this: >>> >>> [INCLUDES] >>> before = common.conf >>> >>> and also I wonder why '\' symbol multiplies itself in the regex O.O >>> >>> Denis >>> >>>> On 12 Apr 2019, at 12:32, James Brown <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Thanks again Denis. >>>> >>>> Running the regex test I get: >>>> >>>> $ fail2ban-regex /private/var/log/stunnel.log >>>> /usr/local/etc/fail2ban/filter.d/stunnel.conf >>>> >>>> Running tests >>>> ============= >>>> >>>> Use failregex filter file : stunnel, basedir: /usr/local/etc/fail2ban >>>> Traceback (most recent call last): >>>> File "/usr/local/Cellar/fail2ban/0.10.4/libexec/bin/fail2ban-regex", >>>> line 34, in <module> >>>> exec_command_line() >>>> File >>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", >>>> line 698, in exec_command_line >>>> if not fail2banRegex.start(args): >>>> File >>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", >>>> line 599, in start >>>> if not self.readRegex(cmd_regex, 'fail'): # pragma: no cover >>>> File >>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", >>>> line 345, in readRegex >>>> reader.getOptions(None) >>>> File >>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/configreader.py", >>>> line 319, in getOptions >>>> self, "Definition", self._configOpts, pOpts) >>>> File >>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/configreader.py", >>>> line 147, in getOptions >>>> return self._cfg.getOptions(section, *args, **kwargs) >>>> File >>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/configreader.py", >>>> line 245, in getOptions >>>> v = self.get(sec, optname, vars=pOptions) >>>> File >>>> "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ConfigParser.py", >>>> line 623, in get >>>> return self._interpolate(section, option, value, d) >>>> File >>>> "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ConfigParser.py", >>>> line 691, in _interpolate >>>> self._interpolate_some(option, L, rawval, section, vars, 1) >>>> File >>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/configparserinc.py", >>>> line 73, in _interpolate_some >>>> return self._cp_interpolate_some(option, accum, rest, section, map, >>>> *args, **kwargs) >>>> File >>>> "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ConfigParser.py", >>>> line 716, in _interpolate_some >>>> "bad interpolation variable reference %r" % rest) >>>> ConfigParser.InterpolationSyntaxError: bad interpolation variable >>>> reference '%(__on_port_opt)\\\\n.*s_connect\\: connect .* Connection >>>> refused \\(61\\)”' >>>> >>>> Is it the bit after ‘<HOST>’ that it does not like? >>>> >>>> James. >>>> >>>>> On 12 Apr 2019, at 5:59 pm, Denis Rasulev <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Well, looks like we only need to adjust our regex… Let’s try to simplify >>>>> it: >>>>> >>>>> failregex = "^Service \[ssmtp\] accepted connection from >>>>> .*<HOST>%(__on_port_opt)\\n.*s_connect\: connect .* Connection refused >>>>> \(61\)" >>>>> >>>>> You may also test your filters without restarting fail2ban every time. >>>>> For this, run this command: >>>>> >>>>> fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/stunnel.local >>>>> --print-all-missed > ~/missed.txt >>>>> >>>>> And then check the output in your home directory, in `missed.txt` file. >>>>> >>>>> Please, pay attention that it is better to keep your own rules in .local >>>>> file rather than adjust standard .conf files. >>>>> >>>>> Denis >>>>> >>>>>> On 12 Apr 2019, at 08:51, James Brown <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>>> On 12 Apr 2019, at 4:33 pm, Denis Rasulev <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> [Init] >>>>>>> maxlines = 2 >>>>>>> >>>>>>> [Definition] >>>>>>> failregex = "^Service [ssmtp] accepted connection from >>>>>>> ::ffff:<HOST>%(__on_port_opt)\n.*s_connect: connect ::1:25: Connection >>>>>>> refused (61)" >>>>>>> >>>>>> >>>>>> Thanks Denis. >>>>>> >>>>>> When I use that failregex fail2ban won’t start: >>>>>> >>>>>> fail2ban [39139]: ERROR Failed during configuration: >>>>>> bad interpolation variable reference '%(__on_port_opt)\\n.*s_connect: >>>>>> connect ::1:25: Connection refused (61)' >>>>>> >>>>>> James. >>>>> >>>> >>> >> >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
