Unable to compile regular expression in Fail2Ban

Question

I'm trying to get this regex working in Fail2Ban:

SRC=(?<ADDR>.*) DST.*(?=DPT=5003)

In a regex tester it's working very fine. When testing in Fail2Ban, I get this error:

ERROR: Unable to compile regular expression 'SRC=(?\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?.*) DST.*(?=DPT=5003)'

This is a line from the log I want to crawl:

Jul 14 13:30:44 servername kernel: [  803.539059] [UFW BLOCK] IN=eth0 OUT= MAC=somemacadress SRC=somesourceip DST=somedestinationip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=18692 DF PROTO=TCP SPT=50852 DPT=5003 WINDOW=14600 RES=0x00 SYN URGP=0

Basically I want to block an IP if there is a block on DPT=5003

Can somebody help?

Thanks!

use `fail2ban-regex` to test your regex – AlexD Jul 14 '23 at 20:02 — AlexD, Jul 14 '23 at 20:02
I did, this is where the mentioned error is thrown. – error401 Jul 15 '23 at 09:59 — error401, Jul 15 '23 at 09:59

AlexD · Answer 1 · 2023-07-17T09:48:20.187

0

The regex SRC=(?<ADDR>.*) DST.*(?=DPT=5003) uses PCRE named capture group syntax ?<ADDR> which fail2ban, being written in Python, doesn't understand and doesn't use. You need to use fail2ban own substitution <HOST> to capture IP or hostname. See the Developing Filters from fail2ban docs.

Update: <ADDR> substitution is also recognized, but isn't documented in the page I linked.

edited Jul 17 '23 at 09:48

answered Jul 16 '23 at 09:25

AlexD

8,747
2
29
38

score 0 · Answer 2 · answered Jul 17 '23 at 09:11

Normally it'd be enough to fix the typo - either use (?:...) note :, or remove group parenthesis:

- SRC=(?<ADDR>.*) DST.*(?=DPT=5003)
+ SRC=<ADDR>.* DST.*(?=DPT=5003)

But this RE is vulnerable (no anchors, contains catch-all's etc)... For better failregex example see https://github.com/fail2ban/fail2ban/pull/2225#issuecomment-766087078

Unable to compile regular expression in Fail2Ban

2 Answers2