Lee, Thank you for response. I think I’m going crazy now. I removed ALL regex from Asterisk and left only this one in question. Restarted f2b and it found all the IP’s to ban(or f2b takes those from some internal database??). And they all have same format (bad per your response). But they matched!
I was thinking maybe '(,ACLName="\w+")?$’ part of regex was a problem because log in question didn’t have that part and this ACLName piece was checked into repository recently. Anyway. I will monitor whole thing for a while and see if I notice any issues going forward. > On May 5, 2015, at 7:00 PM, Lee Clemens <[email protected]> wrote: > > > On 05/05/2015 02:00 PM, Ivan Demkovitch wrote: >> Hello team! >> I'm using Fail2Ban to process Asterisk log files (filter.d/Asterisk). I >> found some "skipped" activity and I beleive following rule does not match, >> any hints on what might be wrong? (I'm not regex expert by any means, but to >> me it looks like it should work...) >> Log entry: >> >> [2015-05-05 10:39:29] SECURITY[2635] res_security_log.c: >> SecurityEvent="InvalidPassword",EventTV="2015-05-05T10:39:29.396-0500",Severity="Error",Service="SIP",EventVersion="2",AccountID="011972592249482",SessionID="0x7f4b8000a2a8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/195.154.150.102/5070",Challenge="6c8c1b82",ReceivedChallenge="6c8c1b82",ReceivedHash="12143a9e0583447febc67fb28cbdf433" > > The EventTV group is expected to be only digits and "-"'s. > > The included sample log shows it in epoch with some suffix. > One example: 1389368346-880526 > >> >> I saved it into single 'testlog' file. Now, I beleive it should match but it >> doesn't (regex between '' is straight from filter.d/Asterisk filter which I >> beleive should work) >> >> [root@localhost fail2ban]# fail2ban-regex testlog >> '^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$' >> > > Replacing > EventTV="[\d-]+" > with > EventTV="[\d\-T:\.]+" > > Seems to work from my quick test, but there may be a better way to match both. > > -Lee ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
