Re: [Fail2ban-users] regex failing

[Dan Egli]

On 5/7/2021 4:47 AM, Dan Egli wrote:

On 5/7/2021 4:07 AM, Nick Howitt wrote:

So build it up a bit:
".* <HOST>.*denied"
".* <HOST>#.*denied"

Also try escaping the #.

That works. Thank you! I've plugged it in, so hopefully it will start blocking these idiots quickly.

Running tests
=============

Use   failregex filter file : named-refused, basedir: /etc/fail2ban
Use         log file : /root/test.log
Use         encoding : UTF-8


Results
=======

Prefregex: 0 total

`-

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format

`-

Lines: 500 lines, 0 ignored, 0 matched, 500 missed
[processed in 0.03 sec]


jupiter ~ # fail2ban-regex ~/test.log ".* <HOST>#.*denied"

Running tests
=============

Use   failregex line : .* <HOST>#.*denied
Use         log file : /root/test.log
Use         encoding : UTF-8


Results
=======

Failregex: 500 total
|-  #) [# of hits] regular expression
|   1) [500] .* <HOST>#.*denied
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format

`-

Lines: 500 lines, 0 ignored, 500 matched, 0 missed
[processed in 0.05 sec]

Here's the file, sans comments:

[Definition]

_daemon=named


__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)

__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?



failregex =     .* <HOST>\#.*denied
                .* <HOST>#.*denied
                 ^(?:view (?:internal|external): )?query(?: \(cache\))?
                ^zone transfer


ignoreregex =


As you can see, I tried both with and without escaping the #, no effect.

It seems I spoke too soon. It's so strange. The pattern worked when I give it directly to fail2ban-regex, but when I put it in the file and run it against the file, it fails. |  ^(?:\s\S+ (?:(?:\[\d+\])?:\s+\(?named(?:\(\S+\))?\)?:?|\(?named(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(?: error:)?\s*client(?: @\S*)? (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))#\S+(?: \([\S.]+\))?: (?P<content>.+)\s(?:denied|\(NOTAUTH\))\s*$ |  [500] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? |  [500] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$                 ^bad zone transfer request: '\S+/IN': non-authoritative zone

OpenPGP_0x11B7451DF2015959.asc
Description: OpenPGP public key

OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users