On 07/05/2021 09:17, Dan Egli wrote:
On 5/7/2021 1:33 AM, Nick Howitt wrote:
On 07/05/2021 07:57, Iosif Fettich wrote:
Hi there,
the number after the # can change, obviously. I tried this, but
fail2ban-regex said it missed:
"security: info: client @0x.* <HOST>#.* (.*): query (cache) .* denied"
So, how would I correct this regex so that it sees this
177.237.40.218 idiot? In under 5 minutes he's tried over 16k queries
for the same damn thing.
Try
"security: info: client @0x.* <HOST>#.* \(.*\): query \(cache\) .*
denied"
How important are all the words in the message? Can it be simplified to@
"security: info: client @0x.* <HOST>#.*denied"
Strange. It works fine on the command line, but as soon as I put it in
the filter file and test with the filter file, it fails.
# Fail2Ban filter file for named (bind9).
#
# This filter blocks attacks against named (bind9) however it requires
special
# configuration on bind.
#
# By default, logging is off with bind9 installation.
#
# You will need something like this in your named.conf to provide proper
logging.
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
[Definition]
# Daemon name
_daemon=named
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
# hostname daemon_id spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)?
<HOST>#\S+(?: \([\S.]+\))?:
<F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
^zone transfer
^bad zone transfer request: '\S+/IN': non-authoritative
zone
security: info: client @0x.* <HOST>#.*denied
ignoreregex =
# DEV Notes:
# Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
#
# Author: Yaroslav Halchenko
# fail2ban-regex /var/log/named/named.log
/etc/fail2ban/filter.d/named-refused.conf
Running tests
=============
Use failregex filter file : named-refused, basedir: /etc/fail2ban
Use log file : /var/log/named/named.log
Use encoding : UTF-8
Results
=======
Prefregex: 0 total
| ^(?:\s\S+
(?:(?:\[\d+\])?:\s+\(?named(?:\(\S+\))?\)?:?|\(?named(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(?:
error:)?\s*client(?: @\S*)?
(?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))#\S+(?:
\([\S.]+\))?: (?P<content>.+)\s(?:denied|\(NOTAUTH\))\s*$
`-
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [21195] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 21195 lines, 0 ignored, 0 matched, 21195 missed
[processed in 1.28 sec]
Missed line(s): too many to print. Use --print-all-missed to print all
21195 lines
# fail2ban-regex /var/log/named/named.log "security: info: client
@0x.* <HOST>#.*denied"
Running tests
=============
Use failregex line : security: info: client @0x.* <HOST>#.*denied
Use log file : /var/log/named/named.log
Use encoding : UTF-8
Results
=======
Failregex: 21159 total
|- #) [# of hits] regular expression
| 1) [21159] security: info: client @0x.* <HOST>#.*denied
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [21195] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 21195 lines, 0 ignored, 21159 matched, 36 missed
[processed in 1.68 sec]
Missed line(s): too many to print. Use --print-all-missed to print all
36 lines
Did I miss something somewhere?
Too much has been snipped. Please give a sample log line?
Also, try starting small with something like:
".*<HOST>.*denied"
Then build it up. I don'r know if you even need the leading .*
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
