### Environment - fail2ban/stable,now 1.1.0-8 all [installed] - Linux 6.12.63+deb13-amd64 Debian 6.12.63-1 (2025-12-30) - Package Manager installation method (apt-get) - No applied Patches - No customisation to stock configuration files
### The Issue #### Summary Filter parsing apache2/access.log, rejecting visitors by <HOST> domain name fails because <dns> is not populated, yet the domain name is present in the apache log file. #### Steps to reproduce 1. Filter: ``` [Definition] # Fail2Ban filter to scan Apache access.log for access by unwelcome Domains # Version 0.1 (unfinished) # # Option: failregex # Values: TEXT baddomains = amazonaws|conectabalear|contaboserver|googleusercontent prefregex = ^<F-CONTENT><HOST></F-CONTENT> failregex = %(baddomains)s ignoreregex = # DEV Notes: Bibliography:- # https://forum.hestiacp.com/t/updated-fail2ban-new-rules/20953 # https://me.jaytaala.com/implement-fail2ban-with-custom-apache-filter-ipset-and-a-sample-based-verification-approach/ # https://www.statusline.org/fail2ban-demystified-custom-fail2ban-actions # https://stackoverflow.com/questions/28463719/how-to-commit-a-regex-variable-to-the-action-script-in-fail2ban ``` 2. Test Data (access.log intentionally truncated on RHS) ``` ec2-44-211-153-197.compute-1.amazonaws.com - - [11/Feb/2026:18:45:54 +0000] vmi2951277.contaboserver.net - - [11/Feb/2026:23:31:26 +0000] 109.215.211.35.bc.googleusercontent.com - - [11/Feb/2026:05:10:21 +0000] 185.11.237.167.user.conectabalear.com - - [12/Feb/2026:07:28:07 +0000] ``` #### Expected behaviour (fail2ban-regex -lHEAVYDEBUG) ``` Pre-filter matched {'content': 'ec2-44-211-153-197.compute-1.amazonaws.com', 'ip4': None, 'ip6': None, 'dns': 'ec2-44-211-153-197.compute-1.amazonaws.com'} Pre-filter matched {'content': 'vmi2951277.contaboserver.net', 'ip4': None, 'ip6': None, 'dns': 'vmi2951277.contaboserver.net'} Pre-filter matched {'content': '109.215.211.35', 'ip4': '109.215.211.35', 'ip6': None, 'dns': '109.215.211.35.bc.googleusercontent.com}' Pre-filter matched {'content': '185.11.237.167', 'ip4': '185.11.237.167', 'ip6': None, 'dns': '185.11.237.167.user.conectabalear.com'} ``` #### Observed behaviour ``` Pre-filter matched {'content': 'ec2-44-211-153-197.compute-1.amazonaws.com', 'ip4': None, 'ip6': None, 'dns': 'ec2-44-211-153-197.compute-1.amazonaws.com'} Pre-filter matched {'content': 'vmi2951277.contaboserver.net', 'ip4': None, 'ip6': None, 'dns': 'vmi2951277.contaboserver.net'} Pre-filter matched {'content': '109.215.211.35', 'ip4': '109.215.211.35', 'ip6': None, 'dns': None} Pre-filter matched {'content': '185.11.237.167', 'ip4': '185.11.237.167', 'ip6': None, 'dns': None} ``` #### Any additional information 1. All four records in the access.log begin in column 1 with FQDN 2. Date format, etc, consistent. (RHS truncated for readability) 3. Successful interpolation of <HOST> into <dns> on first two records 4. Unsuccessful population of <dns> on second two records 5. Failregex fails as <dns> not populated yet value present in <HOST> 6. Issue No and Status: None; awaiting community feedback/input first. #### Configuration file datestamps (untouched). NB: No apache-common.local ``` $ ls -l /etc/fail2ban/filter.d ... -rw-r--r-- 1 root root 1630 Apr 25 2024 apache-common.conf ... -rw-r--r-- 1 root root 2776 Apr 25 2024 common.conf ... ``` _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
