On 5/7/2021 1:33 AM, Nick Howitt wrote:
On 07/05/2021 07:57, Iosif Fettich wrote:Hi there,the number after the # can change, obviously. I tried this, but fail2ban-regex said it missed:"security: info: client @0x.* <HOST>#.* (.*): query (cache) .* denied"So, how would I correct this regex so that it sees this 177.237.40.218 idiot? In under 5 minutes he's tried over 16k queries for the same damn thing.Try"security: info: client @0x.* <HOST>#.* \(.*\): query \(cache\) .* denied"How important are all the words in the message? Can it be simplified to@"security: info: client @0x.* <HOST>#.*denied"
Strange. It works fine on the command line, but as soon as I put it in the filter file and test with the filter file, it fails.
# Fail2Ban filter file for named (bind9). ## This filter blocks attacks against named (bind9) however it requires special
# configuration on bind. # # By default, logging is off with bind9 installation. ## You will need something like this in your named.conf to provide proper logging.
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
[Definition]
# Daemon name
_daemon=named
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
# hostname daemon_id spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)?
<HOST>#\S+(?: \([\S.]+\))?:
<F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))? ^zone transfer^bad zone transfer request: '\S+/IN': non-authoritative zone
security: info: client @0x.* <HOST>#.*denied ignoreregex = # DEV Notes: # Trying to generalize the # structure which is general to capture general patterns in log # lines to cover different configurations/distributions # # Author: Yaroslav Halchenko# fail2ban-regex /var/log/named/named.log /etc/fail2ban/filter.d/named-refused.conf
Running tests ============= Use failregex filter file : named-refused, basedir: /etc/fail2ban Use log file : /var/log/named/named.log Use encoding : UTF-8 Results ======= Prefregex: 0 total| ^(?:\s\S+ (?:(?:\[\d+\])?:\s+\(?named(?:\(\S+\))?\)?:?|\(?named(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(?: error:)?\s*client(?: @\S*)? (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))#\S+(?: \([\S.]+\))?: (?P<content>.+)\s(?:denied|\(NOTAUTH\))\s*$
`- Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format| [21195] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`- Lines: 21195 lines, 0 ignored, 0 matched, 21195 missed [processed in 1.28 sec]Missed line(s): too many to print. Use --print-all-missed to print all 21195 lines
# fail2ban-regex /var/log/named/named.log "security: info: client @0x.* <HOST>#.*denied"
Running tests ============= Use failregex line : security: info: client @0x.* <HOST>#.*denied Use log file : /var/log/named/named.log Use encoding : UTF-8 Results ======= Failregex: 21159 total |- #) [# of hits] regular expression | 1) [21159] security: info: client @0x.* <HOST>#.*denied `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format| [21195] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`- Lines: 21195 lines, 0 ignored, 21159 matched, 36 missed [processed in 1.68 sec]Missed line(s): too many to print. Use --print-all-missed to print all 36 lines
Did I miss something somewhere? -- Dan Egli From my Test Server
OpenPGP_0x11B7451DF2015959.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
