fail2ban regex matching on testing sites but not fail2ban itself
-
I've a weird situation. I created a regex expression for one of the service. I've tested this expression at regexr.com and regex101.com and there are no problems at all. when I used this regex expression in fail2ban, it missed all the lines. here is the log output;
[05-Oct-2021 17:09:39 +0300]: IMAP Error: Login failed for xyz@xyz.com against localhost from 95.65.143.88. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 204 (POST /webmail/?_task=login&_action=login)
here is the regex;
(IMAP Error: Login failed for)\s([a-zA-Z0-9_.-]+\@[a-zA-Z0-9_.-]+)\s(against localhost from)\s
is fail2ban using a different regex structure?
-
I've a weird situation. I created a regex expression for one of the service. I've tested this expression at regexr.com and regex101.com and there are no problems at all. when I used this regex expression in fail2ban, it missed all the lines. here is the log output;
[05-Oct-2021 17:09:39 +0300]: IMAP Error: Login failed for xyz@xyz.com against localhost from 95.65.143.88. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 204 (POST /webmail/?_task=login&_action=login)
here is the regex;
(IMAP Error: Login failed for)\s([a-zA-Z0-9_.-]+\@[a-zA-Z0-9_.-]+)\s(against localhost from)\s
is fail2ban using a different regex structure?
-
fail2ban is checking application logs and prevent intruders.
-
I've a weird situation. I created a regex expression for one of the service. I've tested this expression at regexr.com and regex101.com and there are no problems at all. when I used this regex expression in fail2ban, it missed all the lines. here is the log output;
[05-Oct-2021 17:09:39 +0300]: IMAP Error: Login failed for xyz@xyz.com against localhost from 95.65.143.88. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 204 (POST /webmail/?_task=login&_action=login)
here is the regex;
(IMAP Error: Login failed for)\s([a-zA-Z0-9_.-]+\@[a-zA-Z0-9_.-]+)\s(against localhost from)\s
is fail2ban using a different regex structure?
fail2ban regexes are a bit "different", particularly with the new(ish) prefixes and interpolations. Your best bet is to use "fail2ban-regex". Somewhere around the fail2ban site there is a tutorial about iincremental development of regexes. It's a bit outdated, but the process works.
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
-
fail2ban regexes are a bit "different", particularly with the new(ish) prefixes and interpolations. Your best bet is to use "fail2ban-regex". Somewhere around the fail2ban site there is a tutorial about iincremental development of regexes. It's a bit outdated, but the process works.
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
yep I'm using fail2ban-regex but before that I'm preparing my expressions at regexr.com.
-
yep I'm using fail2ban-regex but before that I'm preparing my expressions at regexr.com.
My experience with fail2ban regexes is that they are sufficiently different from the "standard" ones that the regular development/test tools don't help. I think you're stuck with fail2ban-regex, a dummy log file with examples of good and bad entries, and a whole lot of panel-beating, depending on how complex your requirements are. It's worth looking at the various filter files provided with fail2ban. I found some helpful constructs in ones I don't actually use.
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
-
My experience with fail2ban regexes is that they are sufficiently different from the "standard" ones that the regular development/test tools don't help. I think you're stuck with fail2ban-regex, a dummy log file with examples of good and bad entries, and a whole lot of panel-beating, depending on how complex your requirements are. It's worth looking at the various filter files provided with fail2ban. I found some helpful constructs in ones I don't actually use.
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
f2b should have provided standard regex expressions, so people wouldn't need to learn something else.