Something like this: https://regex101.com/r/YlQkUz/1 <https://regex101.com/r/YlQkUz/1>
Denis > On 12 Apr 2019, at 14:37, Denis Rasulev <[email protected]> wrote: > > Cool, we are on the right track :) > That means that it is only required to adjust regex itself so it will catch > what’s required. > > I’ll try to look at this again a bit later, meanwhile try to adjust the regex > here: https://regex101.com/ <https://regex101.com/> > Copy-paste several log lines (from your first mail, for instance) and then > play with regex in the top line. > > Denis. > >> On 12 Apr 2019, at 14:03, James Brown <[email protected] >> <mailto:[email protected]>> wrote: >> >> That’s better - no errors. >> >> But doesn’t find anything: >> >> $ fail2ban-regex /private/var/log/stunnel.log >> /usr/local/etc/fail2ban/filter.d/stunnel.conf >> >> Running tests >> ============= >> >> Use failregex filter file : stunnel, basedir: /usr/local/etc/fail2ban >> Use maxlines : 2 >> Use datepattern : Default Detectors >> Use log file : /private/var/log/stunnel.log >> Use encoding : UTF-8 >> >> >> Results >> ======= >> >> Failregex: 0 total >> >> Ignoreregex: 0 total >> >> Date template hits: >> |- [# of hits] date format >> | [210156] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| >> ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? >> `- >> >> Lines: 210156 lines, 0 ignored, 0 matched, 210156 missed >> [processed in 8.19 sec] >> >> Missed line(s): too many to print. Use --print-all-missed to print all >> 210156 lines >> >> >> James. >> >>> On 12 Apr 2019, at 9:54 pm, Denis Rasulev <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> That's what I thought. That is why parser does not recognize >>> '%(__on_port_opt)' >>> Add this section to the top of stunnel.conf file and test it again. >>>> [INCLUDES] >>>> before = common.conf >>> >>> Denis >>> >>> On Fri, Apr 12, 2019 at 1:50 PM James Brown <[email protected] >>> <mailto:[email protected]>> wrote: >>> Stunnel.conf file: >>> >>> >>> No mention of ‘before = common.conf’ >>> >>> James. >>> >>> >>>> On 12 Apr 2019, at 9:37 pm, Denis Rasulev <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> James, >>>> >>>> Is it possible to share your stunnel.conf file? >>>> >>>> I just want to make sure that there you have this: >>>> >>>> [INCLUDES] >>>> before = common.conf >>>> >>>> and also I wonder why '\' symbol multiplies itself in the regex O.O >>>> >>>> Denis >>>> >>>>> On 12 Apr 2019, at 12:32, James Brown <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Thanks again Denis. >>>>> >>>>> Running the regex test I get: >>>>> >>>>> $ fail2ban-regex /private/var/log/stunnel.log >>>>> /usr/local/etc/fail2ban/filter.d/stunnel.conf >>>>> >>>>> Running tests >>>>> ============= >>>>> >>>>> Use failregex filter file : stunnel, basedir: /usr/local/etc/fail2ban >>>>> Traceback (most recent call last): >>>>> File "/usr/local/Cellar/fail2ban/0.10.4/libexec/bin/fail2ban-regex", >>>>> line 34, in <module> >>>>> exec_command_line() >>>>> File >>>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", >>>>> line 698, in exec_command_line >>>>> if not fail2banRegex.start(args): >>>>> File >>>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", >>>>> line 599, in start >>>>> if not self.readRegex(cmd_regex, 'fail'): # pragma: no cover >>>>> File >>>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", >>>>> line 345, in readRegex >>>>> reader.getOptions(None) >>>>> File >>>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/configreader.py", >>>>> line 319, in getOptions >>>>> self, "Definition", self._configOpts, pOpts) >>>>> File >>>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/configreader.py", >>>>> line 147, in getOptions >>>>> return self._cfg.getOptions(section, *args, **kwargs) >>>>> File >>>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/configreader.py", >>>>> line 245, in getOptions >>>>> v = self.get(sec, optname, vars=pOptions) >>>>> File >>>>> "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ConfigParser.py", >>>>> line 623, in get >>>>> return self._interpolate(section, option, value, d) >>>>> File >>>>> "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ConfigParser.py", >>>>> line 691, in _interpolate >>>>> self._interpolate_some(option, L, rawval, section, vars, 1) >>>>> File >>>>> "/usr/local/Cellar/fail2ban/0.10.4/libexec/lib/python2.7/site-packages/fail2ban/client/configparserinc.py", >>>>> line 73, in _interpolate_some >>>>> return self._cp_interpolate_some(option, accum, rest, section, map, >>>>> *args, **kwargs) >>>>> File >>>>> "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ConfigParser.py", >>>>> line 716, in _interpolate_some >>>>> "bad interpolation variable reference %r" % rest) >>>>> ConfigParser.InterpolationSyntaxError: bad interpolation variable >>>>> reference '%(__on_port_opt)\\\\n.*s_connect\\: connect .* Connection >>>>> refused \\(61\\)”' >>>>> >>>>> Is it the bit after ‘<HOST>’ that it does not like? >>>>> >>>>> James. >>>>> >>>>>> On 12 Apr 2019, at 5:59 pm, Denis Rasulev <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> Well, looks like we only need to adjust our regex… Let’s try to simplify >>>>>> it: >>>>>> >>>>>> failregex = "^Service \[ssmtp\] accepted connection from >>>>>> .*<HOST>%(__on_port_opt)\\n.*s_connect\: connect .* Connection refused >>>>>> \(61\)" >>>>>> >>>>>> You may also test your filters without restarting fail2ban every time. >>>>>> For this, run this command: >>>>>> >>>>>> fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/stunnel.local >>>>>> --print-all-missed > ~/missed.txt >>>>>> >>>>>> And then check the output in your home directory, in `missed.txt` file. >>>>>> >>>>>> Please, pay attention that it is better to keep your own rules in .local >>>>>> file rather than adjust standard .conf files. >>>>>> >>>>>> Denis >>>>>> >>>>>>> On 12 Apr 2019, at 08:51, James Brown <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>>> On 12 Apr 2019, at 4:33 pm, Denis Rasulev <[email protected] >>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>> >>>>>>>> [Init] >>>>>>>> maxlines = 2 >>>>>>>> >>>>>>>> [Definition] >>>>>>>> failregex = "^Service [ssmtp] accepted connection from >>>>>>>> ::ffff:<HOST>%(__on_port_opt)\n.*s_connect: connect ::1:25: Connection >>>>>>>> refused (61)" >>>>>>>> >>>>>>> >>>>>>> Thanks Denis. >>>>>>> >>>>>>> When I use that failregex fail2ban won’t start: >>>>>>> >>>>>>> fail2ban [39139]: ERROR Failed during configuration: >>>>>>> bad interpolation variable reference '%(__on_port_opt)\\n.*s_connect: >>>>>>> connect ::1:25: Connection refused (61)' >>>>>>> >>>>>>> James. >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
