Lee, Thanks for response. I was thrown off by “Ban” messages yesterday, I guess f2b has some internal database to re-sync on restart(not from logs)?
But anyway. Today I modified asterisk.conf and left just one regex in questions (original) and it missed logs. I modified it per your suggestion and from what I can tell - it covers all. In other words - seems like only this regex needed for Asterisk because other ones usually go side by side. Looks like this change can be submitted for future releases.. I will run Asterisk for couple days and monitor if anything been missing... > On May 6, 2015, at 10:33 AM, Lee Clemens <[email protected]> wrote: > > > On 05/05/2015 09:11 PM, Ivan Demkovitch wrote: >> Lee, >> >> Thank you for response. I think I’m going crazy now. I removed ALL regex >> from Asterisk and left only this one in question. Restarted f2b and it found >> all the IP’s to ban(or f2b takes those from some internal database??). And >> they all have same format (bad per your response). But they matched! > > I ran the fail2ban-regex test with what you provided and a fairly current > version of the filter and it missed that line. With my modification it > identified it. > > It must have found them from another log line, because that EventTV will not > get matched by [\d-]+ > >> >> I was thinking maybe '(,ACLName="\w+")?$’ part of regex was a problem >> because log in question didn’t have that part and this ACLName piece was >> checked into repository recently. > > That group is optional, inside the parens with a ? (0 or more instances). > >> >> Anyway. I will monitor whole thing for a while and see if I notice any >> issues going forward. >> >> >>> On May 5, 2015, at 7:00 PM, Lee Clemens <[email protected]> wrote: >>> >>> >>> On 05/05/2015 02:00 PM, Ivan Demkovitch wrote: >>>> Hello team! >>>> I'm using Fail2Ban to process Asterisk log files (filter.d/Asterisk). I >>>> found some "skipped" activity and I beleive following rule does not match, >>>> any hints on what might be wrong? (I'm not regex expert by any means, but >>>> to me it looks like it should work...) >>>> Log entry: >>>> >>>> [2015-05-05 10:39:29] SECURITY[2635] res_security_log.c: >>>> SecurityEvent="InvalidPassword",EventTV="2015-05-05T10:39:29.396-0500",Severity="Error",Service="SIP",EventVersion="2",AccountID="011972592249482",SessionID="0x7f4b8000a2a8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/195.154.150.102/5070",Challenge="6c8c1b82",ReceivedChallenge="6c8c1b82",ReceivedHash="12143a9e0583447febc67fb28cbdf433" >>> >>> The EventTV group is expected to be only digits and "-"'s. >>> >>> The included sample log shows it in epoch with some suffix. >>> One example: 1389368346-880526 >>> >>>> >>>> I saved it into single 'testlog' file. Now, I beleive it should match but >>>> it doesn't (regex between '' is straight from filter.d/Asterisk filter >>>> which I beleive should work) >>>> >>>> [root@localhost fail2ban]# fail2ban-regex testlog >>>> '^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >>>> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$' >>>> >>> >>> Replacing >>> EventTV="[\d-]+" >>> with >>> EventTV="[\d\-T:\.]+" >>> >>> Seems to work from my quick test, but there may be a better way to match >>> both. >>> >>> -Lee >> ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
