On 05/05/2015 09:11 PM, Ivan Demkovitch wrote: > Lee, > > Thank you for response. I think I’m going crazy now. I removed ALL regex from > Asterisk and left only this one in question. Restarted f2b and it found all > the IP’s to ban(or f2b takes those from some internal database??). And they > all have same format (bad per your response). But they matched!
I ran the fail2ban-regex test with what you provided and a fairly current version of the filter and it missed that line. With my modification it identified it. It must have found them from another log line, because that EventTV will not get matched by [\d-]+ > > I was thinking maybe '(,ACLName="\w+")?$’ part of regex was a problem because > log in question didn’t have that part and this ACLName piece was checked into > repository recently. That group is optional, inside the parens with a ? (0 or more instances). > > Anyway. I will monitor whole thing for a while and see if I notice any issues > going forward. > > >> On May 5, 2015, at 7:00 PM, Lee Clemens <[email protected]> wrote: >> >> >> On 05/05/2015 02:00 PM, Ivan Demkovitch wrote: >>> Hello team! >>> I'm using Fail2Ban to process Asterisk log files (filter.d/Asterisk). I >>> found some "skipped" activity and I beleive following rule does not match, >>> any hints on what might be wrong? (I'm not regex expert by any means, but >>> to me it looks like it should work...) >>> Log entry: >>> >>> [2015-05-05 10:39:29] SECURITY[2635] res_security_log.c: >>> SecurityEvent="InvalidPassword",EventTV="2015-05-05T10:39:29.396-0500",Severity="Error",Service="SIP",EventVersion="2",AccountID="011972592249482",SessionID="0x7f4b8000a2a8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/195.154.150.102/5070",Challenge="6c8c1b82",ReceivedChallenge="6c8c1b82",ReceivedHash="12143a9e0583447febc67fb28cbdf433" >> >> The EventTV group is expected to be only digits and "-"'s. >> >> The included sample log shows it in epoch with some suffix. >> One example: 1389368346-880526 >> >>> >>> I saved it into single 'testlog' file. Now, I beleive it should match but >>> it doesn't (regex between '' is straight from filter.d/Asterisk filter >>> which I beleive should work) >>> >>> [root@localhost fail2ban]# fail2ban-regex testlog >>> '^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >>> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$' >>> >> >> Replacing >> EventTV="[\d-]+" >> with >> EventTV="[\d\-T:\.]+" >> >> Seems to work from my quick test, but there may be a better way to match >> both. >> >> -Lee > ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
