fail2ban regex works as CLI param, but not as file (Solution)
Yaroslav Polyakov
Posted on January 1, 2023
When writing new fail2ban filter, I see my regexes are working well in CLI test, but not from filter.d file.
Running from CLI (success):
root@liste:/etc/fail2ban/filter.d# fail2ban-regex /var/log/apache2/access_log '<HOST>.*/cgi-bin/mailman/subscribe/.*'
Running tests
=============
Use failregex line : <HOST>.*/cgi-bin/mailman/subscribe/.*
Use log file : /var/log/apache2/access_log
Use encoding : UTF-8
Results
=======
Failregex: 7530 total
|- #) [# of hits] regular expression
| 1) [7530] <HOST>.*/cgi-bin/mailman/subscribe/.*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [7796] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 7796 lines, 0 ignored, 7530 matched, 266 missed
[processed in 1.68 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 266 lines
7.5K matched. Great! now, put this regex into file:
[INCLUDES]
before = common.conf
[Definition]
failregex = <HOST>.*/cgi-bin/mailman/subscribe/.*
ignoreregex =
And.... 0 matched! :-(
root@liste:/etc/fail2ban/filter.d# fail2ban-regex /var/log/apache2/access_log /etc/fail2ban/filter.d/mailman-subscribe.conf
...
Lines: 7796 lines, 0 ignored, 0 matched, 7796 missed
Solution: just add empty datepattern = to rule.
And now:
root@liste:/etc/fail2ban/filter.d# fail2ban-regex /var/log/apache2/access_log /etc/fail2ban/filter.d/mailman-subscribe.conf
...
Lines: 7796 lines, 0 ignored, 7530 matched, 266 missed
💖 💪 🙅 🚩
Yaroslav Polyakov
Posted on January 1, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.