It appears that this issue has already been fixed upstream, as can be seen
in the current source file for this filter at
https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/named-refused.conf
Which has:
prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?:
<F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
Which includes "(?: @\S*)?" to handle the problematic part.
Evan
On Thu, 4 Mar 2021, Sylvestre Ledru wrote:
Hello,
Le 04/03/2021 à 14:39, E Harris a écrit :
Package: fail2ban
Version: 0.10.2-2.1
Severity: normal
There is a problem in the regex matching for the optional named-refused
filter.
Log messages from named that should be matched by this filter are not being
matched because the log pattern for the host is different than expected.
Specifically, it seems to be a problem with the prefregex portion of the
pattern.
An example log line is:
Mar 4 07:32:52 myhost named[1390966]: client @0x7ff989af9780
124.81.141.74#53 (.): query (cache) './ANY/IN' denied
The stock prefregex is causing match failures because of the
'@0x7ff989af9780 ' portion of the log message.
Could you please report thi s issue upstream?
Thanks
Sylvestre