Re: [Fail2ban-users] Regex misses log entries

[Nick Howitt]

Try without the ?: and you can probably stop after the <HOST> On 25/10/2018 14:48, Denis Rasulev wrote: Anyone to help, please? Log entries samples: |  Oct 25 09:57:25 localhost sshd[17377]: Disconnecting invalid user user 185.246.128.25 port 39598: Change of username or service not allowed: (user,ssh-connection) -> (admin,ssh-connection) [preauth] |  Oct 25 09:58:34 localhost sshd[17381]: Disconnecting invalid user admin 185.246.128.25 port 22937: Change of username or service not allowed: (admin,ssh-connection) -> (root,ssh-connection) [preauth] |  Oct 25 09:59:02 localhost sshd[17385]: Disconnecting authenticating user root 185.246.128.25 port 33103: Change of username or service not allowed: (root,ssh-connection) -> (,ssh-connection) [preauth] |  Oct 25 09:59:23 localhost sshd[17387]: Disconnecting invalid user  185.246.128.25 port 6306: Change of username or service not allowed: (,ssh-connection) -> (root,ssh-connection) [preauth] |  Oct 25 10:00:32 localhost sshd[17399]: Disconnecting authenticating user root 185.246.128.25 port 59009: Change of username or service not allowed: (root,ssh-connection) -> (0,ssh-connection) [preauth] I have added regex to catch: ^Disconnecting (?:authenticating|invalid) user .* <HOST>%(__on_port_opt)s:.*%(__suff)s$ After checking with fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf --print-all-missed > missed.txt all those entries are missed. What is wrong with regex, please? _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users