Giter Club home page Giter Club logo

Comments (3)

sebres avatar sebres commented on May 29, 2024

Our issue template says clearly and explicitly what is needed for a filter request.
At least an excerpt with relevant log-lines is expected.
Thus closed, Please extend your request with needed info and I'll reopen it.

from fail2ban.

AdmiralNoisyBottom avatar AdmiralNoisyBottom commented on May 29, 2024

My apologies for not following the rules, at the time of writing my filter request I felt (incorrectly) that because every entry in the log file was to be banned; then the version, example log etc. was unnecessary. I will ensure I provide this information in the future.

from fail2ban.

sebres avatar sebres commented on May 29, 2024

Everything is important... Especially fail2ban version and log excerpt.
For instance if you don't have a timestamp in your monitored log, you'd need to set datepattern = {NONE} and it'd work only for fail2ban >= v.0.11.2 (or v.0.10.6), where it was initially implemented. Without that the filter would not find any message, even with correct failregex.

Here is an example for this log:

192.0.2.1 # evil
192.0.2.2 # also evil

[jail]
filter =
datepattern = {NONE}
failregex = ^<ADDR>

PoC:

$ fail2ban-regex '192.0.2.1 # evil' '^\s*<ADDR>'
... Lines: 1 lines, 0 ignored, 0 matched, 1 missed
$ fail2ban-regex -d '{NONE}' '192.0.2.1 # evil' '^\s*<ADDR>'
... Lines: 1 lines, 0 ignored, 1 matched, 0 missed

For log with timestamp the datepattern (or default date-templates) need to match it firstly and failregex must match a string without part cut out by datepattern. For example:

2024-03-20 10:00:00 192.0.2.1 # evil
2024-03-20 10:01:00 192.0.2.2 # also evil

[jail]
filter =
datepattern = %%Y-%%m-%%d\s{0,2}%%H:%%M:%%S
failregex = ^\s*<ADDR>

whereby the datepattern is optional here (just for illustration, as how-to), because this timestamp will be detected by fail2ban by default.
PoC:

$ fail2ban-regex -d '%Y-%m-%d\s{0,2}%H:%M:%S' '2024-03-20 10:00:00 192.0.2.1 # evil' '^\s*<ADDR>'
... Lines: 1 lines, 0 ignored, 1 matched, 0 missed
$ fail2ban-regex '2024-03-20 10:00:00 192.0.2.1 # evil' '^\s*<ADDR>'
... Lines: 1 lines, 0 ignored, 1 matched, 0 missed

By the way, <HOST> will also match the IP-address, but also a hostname (or anything that looks like a hostname), so if only IP-address expected, <ADDR> will be better choice.
If you rather want a subnet, see #2560

from fail2ban.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.