How to make an regex in Fail2ban with ip:port

Question

First of all, English is not mu native language, so if I make a mistake don't shoot me. :) Here's my problem: when I use every thing works fine, as soon as there is a port number or a comma direct after the IP-address is involved, it never has a match.

Here is a snippit from the logfile:

[08/Apr/2023 17:48:27] SMTP Spam attack detected from 91.223.169.83:60616, client sent data before SMTP greeting

In the above snippit you see the ip-address followed by colon, the port number and a comma. If I use < HOST > it doesn't match because (IMHO) of the colon, port number and comma. How do I construct a regex so that it matches only the IP-address?

Sometimes it's also like 1.2.3.4, so a comma following the IP-address.

Thanks in advance for your help. Storm

Please share your current regex. – markalex Apr 08 '23 at 22:56 — markalex, Apr 08 '23 at 22:56

score 0 · Answer 1 · answered Apr 18 '23 at 22:21

0

i was able to do that by below string

Regex

\(<HOST>:\d+\)

My complete Regex

^Registration from '(?:[^']*|.*?)' failed for \(<HOST>:\d+\) - Wrong password

answered Apr 18 '23 at 22:21

Mansur Ul Hasan

262
3
9

Hi markalex, thanks for your respons. Could you please clarify how it works. As far as I know the "\" is an escape character, so you can use the "(" as a normal character. If that's true then wath does "\d+" mean. As you can see, I'm not the brightest start in regex :) . – Storm Apr 24 '23 at 13:58

How to make an regex in Fail2ban with ip:port

1 Answers1