The commit that fixes this is here:
https://github.com/fail2ban/fail2ban/commit/43954692260bc57f6b7afd08115f8906b8fabce0
As best I can tell, this issue seems to have been fixed in the 0.10.5
release.
Evan
On Thu, 4 Mar 2021, Evan Harris wrote:
It appears that this issue has already been fixed upstream, as can be seen in
the current source file for this filter at
https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/named-refused.conf
Which has:
prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?:
\([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
Which includes "(?: @\S*)?" to handle the problematic part.
Evan
On Thu, 4 Mar 2021, Sylvestre Ledru wrote:
Hello,
Le 04/03/2021 à 14:39, E Harris a écrit :
Package: fail2ban
Version: 0.10.2-2.1
Severity: normal
There is a problem in the regex matching for the optional named-refused
filter.
Log messages from named that should be matched by this filter are not
being
matched because the log pattern for the host is different than expected.
Specifically, it seems to be a problem with the prefregex portion of the
pattern.
An example log line is:
Mar 4 07:32:52 myhost named[1390966]: client @0x7ff989af9780
124.81.141.74#53 (.): query (cache) './ANY/IN' denied
The stock prefregex is causing match failures because of the
'@0x7ff989af9780 ' portion of the log message.
Could you please report thi s issue upstream?
Thanks
Sylvestre
