DEV Community

Yaroslav Polyakov
Yaroslav Polyakov

Posted on

fail2ban regex works as CLI param, but not as file (Solution)

When writing new fail2ban filter, I see my regexes are working well in CLI test, but not from filter.d file.

Running from CLI (success):

root@liste:/etc/fail2ban/filter.d# fail2ban-regex /var/log/apache2/access_log '<HOST>.*/cgi-bin/mailman/subscribe/.*'

Running tests
=============

Use   failregex line : <HOST>.*/cgi-bin/mailman/subscribe/.*
Use         log file : /var/log/apache2/access_log
Use         encoding : UTF-8


Results
=======

Failregex: 7530 total
|-  #) [# of hits] regular expression
|   1) [7530] <HOST>.*/cgi-bin/mailman/subscribe/.*
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [7796] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 7796 lines, 0 ignored, 7530 matched, 266 missed
[processed in 1.68 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 266 lines
Enter fullscreen mode Exit fullscreen mode

7.5K matched. Great! now, put this regex into file:

[INCLUDES]
before = common.conf
[Definition]
failregex = <HOST>.*/cgi-bin/mailman/subscribe/.*
ignoreregex =
Enter fullscreen mode Exit fullscreen mode

And.... 0 matched! :-(

root@liste:/etc/fail2ban/filter.d# fail2ban-regex /var/log/apache2/access_log /etc/fail2ban/filter.d/mailman-subscribe.conf 
...
Lines: 7796 lines, 0 ignored, 0 matched, 7796 missed
Enter fullscreen mode Exit fullscreen mode

Solution: just add empty datepattern = to rule.

And now:

root@liste:/etc/fail2ban/filter.d# fail2ban-regex /var/log/apache2/access_log /etc/fail2ban/filter.d/mailman-subscribe.conf 
...
Lines: 7796 lines, 0 ignored, 7530 matched, 266 missed
Enter fullscreen mode Exit fullscreen mode

Top comments (0)