No, fail2ban is smart enough to pick up brackets on it's own. And to be safe, I just tried it with the brackets escaped:
fail2ban-regex fails.log "fixed_login_exim4u authenticator failed for (localhost) \[<HOST>\]"
Running tests
=============
Use failregex line : fixed_login_exim4u authenticator failed for (local...
Use log file : fails.log
Use encoding : ISO-8859-1
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-Lines: 6 lines, 0 ignored, 0 matched, 6 missed
On 1/17/2021 2:27 AM, Nick Howitt wrote:
[processed in 0.00 sec]
|- Missed line(s):
| 2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=survey2)
| 2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=sqlserver)
| 2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=stagiaire)
Shouldn't it be "\[<HOST>\] and not just "<HOST>"?
On 17/01/2021 02:15, Dan Egli wrote:
Hey people, I don't know what's going on with F2B lately, but it seems to be completely ignoring anything happing with exim. Even fail2ban-regex won't pick anything up, and I tried doing it with a direct match.
root@jupiter:~# cat fails.log
2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=survey2)
2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=sqlserver)
2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=stagiaire)
root@jupiter:~# fail2ban-regex fails.log "2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) <HOST>"
Running tests
=============
Use failregex line : 2021-01-16 18:57:53.840 fixed_login_exim4u authent...
Use log file : fails.log
Use encoding : ISO-8859-1
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 6 lines, 0 ignored, 0 matched, 6 missed
[processed in 0.00 sec]
|- Missed line(s):
| 2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=survey2)
| 2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=sqlserver)
| 2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=stagiaire)
`-
root@jupiter:~#
Note that it says all lines missed, but line #1 is an exact match. I also tried it without the date/time, same result:
root@jupiter:~# fail2ban-regex fails.log "fixed_login_exim4u authenticator failed for (localhost) <HOST>"
Running tests
=============
Use failregex line : fixed_login_exim4u authenticator failed for (local...
Use log file : fails.log
Use encoding : ISO-8859-1
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 6 lines, 0 ignored, 0 matched, 6 missed
[processed in 0.00 sec]
|- Missed line(s):
| 2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=survey2)
| 2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=sqlserver)
| 2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=stagiaire)
`-
It's catching people trying to break in via SSH just fine. In fact my recidive list is getting so big I may have to clean it out soon just to make sure that it's not slowing down internet processing. But no matter what I try, it keeps saying all lines missed in the log. Even that log file is a snip of the actual log that shows actual failures.
Help?
--
Dan Egli
From my Test Server
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
