github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Updated Developing Regex in Fail2ban (markdown)

master
Egbert 2020-09-30 19:10:03 -04:00
parent 8edab352eb
commit 0da8b584d4
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Developing-Regex-in-Fail2ban.md

@ -252,11 +252,11 @@ So, do what I do… Make a generic `failregex` in your new local filter config f
```ini
failregex = query.+<HOST>
```
WARNING: Don't make my example into your permanent change because `.+` is evil. Do no evil ... but not during this troubleshooting and development of regex. Just don't forget to have finally replaced all `.+`, `.*` with something staticly-pattern.
WARNING: Don't make my example into your permanent change because `.+` is evil. Do no evil ... but not during this troubleshooting and development of regex. Just don't forget to have finally replaced all `.+`, `.*` with something staticly-pattern as well as adding range-constraint (ie., `{,2}`, `{0,2}`) instead of a plus or an asterisk symbol.
WARNING: And also don't forget to ensure that `^` is at the beginning; also to add that `$` at the end, but not now for `$`, as we're developing a working matching pattern here.
WARNING: And also don't forget to ensure that `^` is at the beginning; also to add that `$` at the end. But not now for `$`, as we're developing toward a working matching pattern here.
Notice that there is no '`$`' to catch end-of-line match condition? Well do those `$` lastly as were trying to just match … ANYTHING!
Notice that there is no '`$`' to catch end-of-line match condition? Well do those `$` lastly as we are trying to match … just about ANYTHING that we want!
Now, re-run the `fail2ban-regex` with '`-l HEAVYDEBUG`' and look for the '`T: Matched FailRegex part`':
```console
@ -264,7 +264,7 @@ T: Matched FailRegex('query.+(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,
```
Now I am matching SOMETHING!
Notice the convoluted patterns after '`query.+`'? These long patterns represent the expanded part of '`<HOST>`' macro. We can safely ignore that for now.
Notice the convoluted patterns after '`query.+`'? These new, long patterns represent the expanded part of '`<HOST>`' macro. We can safely ignore that for now.
Most importantly, I am MATCHING something that starts with '`^query.+`'! Yippee!