github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Major changes, incorporating many of #2837, thanks, @sebres

master
Egbert 2020-09-30 16:20:04 -04:00
parent e780814e57
commit 0c51e3f1b7
1 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
Developing-Regex-in-Fail2ban.md

@ -55,9 +55,13 @@ Such unknown `datepattern` shall be a subject for another blog, not here.
PRE-FILTER MATCHED
==================
In every filter file, `prefregex` defaults to '`^(?P<content>.+)$`'. If you havent touch or set the `prefregex`, move on to the next section.
If you have a single-line pattern, skip this section and leave `prefregex` empty or undefined.
Otherwise, `prefregex` becomes your focus in troubleshooting.
To Pre-Filter or Not To Pre-Filter
-----------------------------------
This section only applies if you have (or will have) multiple patterns within this same filter file that you are creating or modifying.
If `prefregex` already existed and you know it works, then you can move on to the next section. If you are creating one, read on.
You can tell that the (default or customized) `prefregex` actually works if you added '`-l HEAVYDEBUG`' to your `fail2ban-regex` command line:
```bash
@ -91,7 +95,9 @@ prefregex = ^ <F-CONTENT>.+</F-CONTENT>$
```
The above custom `prefregex` will ensure that that beginning space character is removed before sending the remaining content to the `failregex`. This new `prefregex` returns just the interesting '`<F-CONTENT>.+</F-CONTENT>$`' which is basically everything after that lone (but unwanted) space char.
Running that fail2ban-regex with the '`-l HEAVYDEBUG`', the new output shows:
WARNING: This is a greedy Regex algorithm. Many regex are unsafe, neither contain start- (^) nor end-anchor ($), as well as contain catch-all like .+, especially which is immediately followed by unprecise <HOST> tag which is accepting every word as hostname.
Back on track, running that fail2ban-regex with the '`-l HEAVYDEBUG`', the new output shows:
```console
T: Pre-filter matched {'content': 'query-errors: info: client @0x7f0410000e40 123.123.123.123#80 (sl): view red: query failed (REFUSED) for sl/IN/ANY at query.c:5445'}
```
@ -114,12 +120,25 @@ FAILREGEX MATCHED
==================
Focus on the `failregex` portion of the filter config file. They go under `[Definition]` section.
The catch of using `failregex` is that there MUST be at least one regex group match such as '`<HOST>`', '`<ADDR>`', or '`<F-USER>`'.
Using `failregex` means that there MUST be at least one regex group match such as:
* '`<HOST>`' - hostname
* '`<ADDR>`' - IPv4 or IPv6 address
* '`<F-ID>`' - Regex group ID
* '`<F-PORT>`' - Port number of UDP/TCP/SCTP/DDCP and other transport layers.
* '`<F-ERRCODE>`' - Error codes, like HTTP status, or shell exit status
* '`<F-MLFGAINED>`' - Access to service was gained.
* '`<F-NOFAIL>`' - Used as a mark for no-failure condition for a helper to accumulate
* '`<F-MLFID>`'
* '`<F-MLFFORGET`' - Forget the multi-line set by `<F-MLFID>`.
* '`<F-USER>`'.
* '`<F-ALT_USER>`' - Indicates non-Unix username (such as Dovecot's SMTP account name).
So, do what I do… Make a generic `failregex` in your new local filter config file, like this:
```ini
failregex = query.+<HOST>
```
WARNING: Don't make my example a permanent change because `.+` is evil. Do no evil but not during this troubleshooting and development of regex. Just don't forget to have finally replaced all `.+`, `.*` with something staticly. And also don't forget to add that '^' at the beginning and '$' at the end, but not now, we're developing one.
Notice that there is no '`$`' to catch end-of-line match condition? Well do those '`$`' lastly because were trying to just match … ANYTHING!
Re-run fail2ban-regex with '`-l HEAVYDEBUG`' and notice the '`T: Matched FailRegex part`':