0

With fail2ban, I want to ban IPs based to the content of apache_access.log file.

This is an example of line I want match with regex rules :

197.221.254.56 - - [13/Jun/2022:22:59:59 +0200] "GET / HTTP/1.0" 400 0 "-" "-"

So, this is my fail2ban custom filter file :

[Definition]

failregex = ^<ADDR> - - \[\S+ \S+\] "GET \/ HTTP\/1.0" 400 \S "-" "-"$
ignoreregex =

The regex works perfecly on website like 'https://regex101.com/'

But when I use the fail2ban-regex tools like this :

sudo fail2ban-regex /var/log/site1_access.log /etc/fail2ban/filter.d/les400enhttp1-0.conf

I match anything.

I tried with this simplest regex rule : ^<ADDR> - - \[\S+ \S+ And its work !

Results
=======

Failregex: 10 total
|-  #) [# of hits] regular expression
|   1) [10] ^<ADDR> - - \[\S+ \S+
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [10] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 10 lines, 0 ignored, 10 matched, 0 missed
[processed in 0.03 sec]

But when I try with the regex : ^<ADDR> - - \[\S+ \S+\] (left square sracket ] added to the right)) the command 'fail2ban-regex'return me :

Lines: 10 lines, 0 ignored, 0 matched, 10 missed
[processed in 0.03 sec]

|- Missed line(s):
|  36.170.59.167 - - [13/Jun/2022:22:59:59 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
|  183.228.2.12 - - [13/Jun/2022:22:59:59 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
|  183.228.2.12 - - [13/Jun/2022:22:59:59 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
|  126.131.138.146 - - [13/Jun/2022:22:59:59 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
|  197.221.254.56 - - [13/Jun/2022:22:59:59 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
|  110.11.157.122 - - [13/Jun/2022:23:00:00 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
|  220.135.236.27 - - [13/Jun/2022:23:00:00 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
|  61.231.224.176 - - [13/Jun/2022:23:00:00 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
|  106.165.107.215 - - [13/Jun/2022:23:00:00 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
|  61.231.224.176 - - [13/Jun/2022:23:00:00 +0200] "GET / HTTP/1.0" 400 0 "-" "-"
`-

10 missed ! none of my examples lines match with the regex when I add the left square bracket ( ] )

I don't understand where i f my mistake... thanks for any help :)

spacecodeur
  • 107
  • 4
  • I'd rather say the problem is that your `failregex=` line is commented out. – Gerald Schneider Jun 14 '22 at 05:02
  • Hi :) and the failregex line is not commented, As I said, I tried with the pattern '^ - - \[\S+ \S+' (without the quotes) and its match. But when I try with the pattern '^ - - \[\S+ \S+\]' (without quotes) that does not match and I don't know why ... – spacecodeur Jun 14 '22 at 05:23

1 Answers1

0

It would be better to catch what you want the classic way, e.g.:

\[.*\]

The date pattern part (which creates the problem that you noticed) is apparently handled in a special way by fail2ban.

If you try the following pattern:

\[\]

You will see that it also matches, ironically, meaning that the date pattern inside the square brackets is removed. So don't take that into account.

You could use something like this:

^<ADDR> -.*\"(GET|POST|HEAD).*HTTP.*\"$

PS. Your failregex is indeed commented out inside your filter file, make sure to uncomment it when you make your changes.

AndroidX
  • 238
  • 1
  • 6
  • hann its a mistake in my post the tailregex commented ! And for '.*' it seems to me that not a good regex practice (for performance purposes), this is why I privileged my approah. But I'll try your solution soon ! thank you :) – spacecodeur Jun 14 '22 at 11:05
  • 1
    Based on the above you can rebuild your regex whichever way you want. For example based on your failregex in your post: `fail2ban-regex log "^ - - \[\] \"GET \/ HTTP\/1.0\" 400 \S \"-\" \"-\"$"` – AndroidX Jun 14 '22 at 11:15