[Fail2ban-users] multiline match?

2022-03-05 Thread Richard Hector 

Hi all,

I have to confess I find the existing filters somewhat opaque, so I 
might be missing something.


I have lines like these in my logs (reported by logcheck, in this case):


Mar  6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: 
Connection closed by remote host
Mar  6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 
32834
Mar  6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: 
Connection closed by remote host
Mar  6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 
45184


To a human, it's easy to see that those come in pairs, and that if 
they're frequent, they're probably attacks. But the line that shows an 
error doesn't have an IP address, and the line with an IP address isn't 
obviously an error.


Is it still possible to find those and ban them?

Thanks,
Richard


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] Troubles setting up regex filter

2022-03-05 Thread Marc Chamberlin via Fail2ban-users 
Hello -  I think either I am setting up my regex filter for processing 
log file lines from the Apache James email filter or I have found a bug 
in fail2ban-regex and perhaps in fail2ban itself, so I need some kind 
guru to help me with this.


I ran the following test, trying to see what is matched by the  
variable used in the regex expression for my filter. Below is shown the 
command for fail2ban-regex and the output from it. This shows both a 
sample log file line that appears to be failing to get the address 
banned, and the regex expression I am using.


To my untrained eyes, the variable/pattern for  should match the 
IP4 address 87.246.7.246 but it appears that the actual match is 
7.246.7.246 ie the leading 8 is missing in the matched IP address. Why?  
Is my regex expression wrong or is this a bug? If so, how to I report 
the bug?


  Many thanks in advance for helping me with this issue!   Marc...

fail2ban-regex -v -v -l HEAVYDEBUG "2022-03-05 09:30:18,739 ERROR | 
org.apache.james.protocols.api.handler.CommandHandler | AUTH method 
LOGIN failed from r...@marcchamberlin.com@87.246.7.246" 
"^\s*ERROR(\s*\|)?(\s+[\w+\.]+\w+\s+\|)?\s+AUTH method LOGIN failed 
from.*\s*$"


Running tests
=

 2022-03-05 10:06:27,753 7F3161E20740 DEBUG Setting usedns = warn for 
Filter(None)

 2022-03-05 10:06:27,753 7F3161E20740 DEBUG Created Filter(None)
Use   failregex line : ^\s*ERROR(\s*\|)?(\s+[\w+\.]+\w+\s+\|)?\s+AUTH 
met...
Use  single line : 2022-03-05 09:30:18,739 ERROR | 
org.apache.james.p...


 2022-03-05 10:06:27,754 7F3161E20740 TRACE Working on line 
'2022-03-05 09:30:18,739 ERROR | 
org.apache.james.protocols.api.handler.CommandHandler | AUTH method 
LOGIN failed from r...@marcchamberlin.com@87.246.7.246'
 2022-03-05 10:06:27,754 7F3161E20740 TRACE   constructed regex 
(?=^|\b|\W)((?P202\d)(?P<_sep>[-/.])(?P1[0-2]|0[1-9]|[1-9])(?P=_sep)(?P3[0-1]|[1-2]\d|0[1-9]|[1-9]| 
[1-9])(?:T| 
?)(?P2[0-3]|[0-1]\d|\d):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d)(?:[.,](?P[0-9]{1,6}))?(?:\s*(?PZ|UTC|GMT|[+-][01]\d(?::?\d{2})?))?)(?=\b|\W|$)
 2022-03-05 10:06:27,755 7F3161E20740 TRACE   constructed regex 
(?=^|\b|\W)(?iu)((?:(?Pmon|tue|wed|thu|fri|sat|sun) 
)?(?Pjan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) 
(?P3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) 
?(?P[0-2]?\d):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d)(?:\.(?P[0-9]{1,6}))?(?: 
(?P202\d))?)(?=\b|\W|$)
 2022-03-05 10:06:27,755 7F3161E20740 TRACE   constructed regex 
(?=^|\b|\W)(?iu)((?:(?Pmon|tue|wed|thu|fri|sat|sun) 
)?(?Pjan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) 
(?P3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) (?P202\d) 
?(?P[0-2]?\d):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d)(?:\.(?P[0-9]{1,6}))?)(?=\b|\W|$)
 2022-03-05 10:06:27,755 7F3161E20740 TRACE   constructed regex 
(?=^|\b|\W)((?P3[0-1]|[1-2]\d|0[1-9]|[1-9]| 
[1-9])(?P<_sep>[-/])(?P1[0-2]|0[1-9]|[1-9])(?P=_sep)(?:(?P202\d)|(?P2\d)) 
?(?P[0-2]?\d):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
 2022-03-05 10:06:27,756 7F3161E20740 TRACE   constructed regex 
(?=^|\b|\W)(?iu)((?P3[0-1]|[1-2]\d|0[1-9]|[1-9]| 
[1-9])(?P<_sep>[-/])(?Pjan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)(?P=_sep)(?P202\d)[ 
:]?(?P2[0-3]|[0-1]\d|\d):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d)(?:\.(?P[0-9]{1,6}))?(?: 
(?PZ|UTC|GMT|[+-][01]\d(?::?\d{2})?))?)(?=\b|\W|$)
 2022-03-05 10:06:27,756 7F3161E20740 TRACE   constructed regex 
(?=^|\b|\W)((?P1[0-2]|0[1-9]|[1-9])/(?P3[0-1]|[1-2]\d|0[1-9]|[1-9]| 
[1-9])/(?P202\d):(?P2[0-3]|[0-1]\d|\d):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
 2022-03-05 10:06:27,756 7F3161E20740 TRACE   constructed regex 
(?=^|\b|\W)((?P1[0-2]|0[1-9]|[1-9])-(?P3[0-1]|[1-2]\d|0[1-9]|[1-9]| 
[1-9])-(?P202\d) 
?(?P[0-2]?\d):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d)(?:\.(?P[0-9]{1,6}))?)(?=\b|\W|$)
 2022-03-05 10:06:27,756 7F3161E20740 TRACE   constructed regex 
((?:^|(?P(?<=^\[))|(?P(?<=\baudit\()))\d{10,11}\b(?:\.\d{3,6})?)(?:(?(selinux)(?=:\d+\)))|(?(square)(?=\])))(?=\b|\W|$)
 2022-03-05 10:06:27,756 7F3161E20740 TRACE   constructed regex 
^(?:\W{0,2})?((?P2[0-3]|[0-1]\d|\d):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
 2022-03-05 10:06:27,756 7F3161E20740 TRACE   constructed regex 
^(<(?P1[0-2]|0[1-9]|[1-9])/(?P3[0-1]|[1-2]\d|0[1-9]|[1-9]| 
[1-9])/(?P2\d)@(?P2[0-3]|[0-1]\d|\d):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d)>)(?=\b|\W|$)
 2022-03-05 10:06:27,756 7F3161E20740 TRACE   constructed regex 
(?=^|\b|\W)((?P2\d)(?P1[0-2]|0[1-9])(?P3[0-1]|[1-2]\d|0[1-9]) 
?(?P2[0-3]|[0-1]\d|\d):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
 2022-03-05 10:06:27,756 7F3161E20740 TRACE   constructed regex 
(?=^|\b|\W)(?iu)((?Pjan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) 
(?P3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]), (?P202\d) 
(?P1[0-2]|0[1-9]|[1-9]):(?P[0-5]\d|\d):(?P6[0-1]|[0-5]\d|\d) 
(?Pam|pm))(?=\b|\W|$)
 2022-03-05 10:06:27,757 7F3161E20740 TRACE   constructed regex 
(?iu)^((?Pjan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)-(?P3[0-1]|[1-2]\d|0[1-9]|[1-9]| 
[1-9])-(?P2\d)

[Fail2ban-users] IRC channel?

2022-03-05 Thread Richard Hector 

Hi,

The page at https://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help says 
there's a #fail2ban channel on freenode - is that still the right 
network? Or is the one on libera.chat the right one now? It has users, 
but no topic ...


Thanks,
Richard


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users