I am just upgrading from 0.9.7 to 0.10.4 and my apache access log
filters are no longer working. I can fix by deleting the datepattern
entry from /etc/fail2ban/filter.d/common.conf and
/etc/fail2ban/filter.d/apache-common.conf but that seems to be the wrong
way to go about it. If I delete the two entries I get on a sample log:
[root@server ~]# fail2ban-regex /root/apache.log
/etc/fail2ban/filter.d/apache-404.conf -vvv
Running tests
=============
Use failregex filter file : apache-404, basedir: /etc/fail2ban
Use log file : /root/apache.log
Use encoding : UTF-8
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^(?=[0-9\.]* - .* \[.*\] ".*" 40[0458] )<HOST>
| 77.247.109.232 Tue Aug 13 02:48:22 2019
`-
Ignoreregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] audbs5afkoj4y4bnkavz7pqatgnv3miu
| 2) [0] \/clearos\/
`-
Date template hits:
|- [# of hits] date format
| [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
<snip>
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.03 sec]
The line being tested is:
77.247.109.232 - - [13/Aug/2019:02:48:22 +0100] "GET
//yealink/WebItemsLevel.cfg HTTP/1.1" 404 223 "-" "Mozilla/5.0
(Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
Based on this I've tried adding to my apacha-404 filter:
datepattern = Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
This is not working. I also tried simplifying the regex to:
Day\/MON\/ExYear:24hour:Minute:Second \+[0-9]+
But this does not work either. I suspect I am doing something wrong. Can
anyone help, please?
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users