From 6097f9e7e1b67bf4354199100250ff56801c65a2 Mon Sep 17 00:00:00 2001
From: Egbert <10352354+egberts@users.noreply.github.com>
Date: Sun, 20 Sep 2020 18:32:54 -0400
Subject: [PATCH] Updated Developing Regex in Fail2ban (markdown)
---
Developing-Regex-in-Fail2ban.md | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/Developing-Regex-in-Fail2ban.md b/Developing-Regex-in-Fail2ban.md
index 123bc49..df1a4e2 100644
--- a/Developing-Regex-in-Fail2ban.md
+++ b/Developing-Regex-in-Fail2ban.md
@@ -20,7 +20,7 @@ ACTUAL EXAMPLES!
================
The actual examples were obtained during a DDOS against my Bind9 master nameserver. And a regex is needed ... fast.
-Actual log file is (after privacy redactions):
+Actual log (`/tmp/captured.log`) file is (after privacy redactions) shown below:
```log
19-Sep-2020 11:47:00.116 query-errors: info: client @0x7f0410000e40 123.123.123.123#80 (sl): view red: query failed (REFUSED) for sl/IN/ANY at query.c:5445
19-Sep-2020 11:47:01.120 query-errors: info: client @0x7f0410000e40 123.123.123.123#80 (sl): view red: query failed (REFUSED) for sl/IN/ANY at query.c:5445
@@ -31,7 +31,7 @@ Actual log file is (after privacy redactions):
```
Note: A little history, the sl TLD went off-line and IoTs were spraying invalid DNS-QUERY records with falsified source IP address toward selected DNS servers, resulting in a mild DNS amplification attack via DNS-QUERY-REFUSED error message all being sent to the target victim.
-Sadly, latest Bind9 daemon has no configurable field to suppress these false DNS-QUERY-REFUSED acknowledgement messages (ISC Bind team claim it is not kosher to do this, but I still have a problem and intend fail2ban to deal with it).
+Sadly, latest Bind9 daemon has no configurable field to suppress these false DNS-QUERY-REFUSED acknowledgement messages (ISC Bind team claim it is not kosher to do this, but I still have this problem and have intend `fail2ban` to deal with this).
FIRST PATTERN, FIRST
====================
@@ -78,7 +78,12 @@ and note the value of `'content:'`. This content comes after the `datepattern`;
Note: Please note in 'content': value that there is an extra space at the beginning of that value so be careful with the ‘`^`‘ and make sure it starts with ‘`^ `‘ (note a space after caret symbol.)
-But, with regard to that extra space char, do what I do; incorporate that space into your `prefregex`. Your customized `prefregex` will take away that beginning but lone space character from all your future (and current) `failregex` filter patterns. This makes for an easier-to-read `failpregex` pattern(s).
+NEW CONFIG FILE
+===============
+From there on, we're creating a local-variant of `named-refused.conf` file; all new and modified
+settings are in the new `named-refused.local` file.
+
+With regard to that extra space char, do what I do; incorporate that space into your `prefregex`. Your customized `prefregex` will take away that beginning but lone space character from all your future (and current) `failregex` filter patterns. This makes for an easier-to-read `failpregex` pattern(s).
```ini
prefregex = ^ .+$
```
@@ -98,7 +103,7 @@ Focus on the `failregex` portion of the filter config file. They're under `[Def
The catch of using `failregex` is that there MUST be at least one regex group match such as '``', '``', or '``'.
-So, do what I do… Make a generic failregex` in your filter confing file like this:
+So, do what I do… Make a generic `failregex` in your new local filter config file, like this:
```ini
failregex = query.+
```
@@ -228,7 +233,7 @@ _filespec = [0-9a-zA-Z\._\-]{1,254}
_codeloc = %(_filespec)s:\d{1,6}
```
-NOTE: Guess? You are running fail2ban-regex between each modification? You still getting that non-zero '`Failregex: 6 total match`' under Results?
+NOTE: You are running `fail2ban-regex` between each modification? You still getting that non-zero '`Failregex: 6 total match`' under Results?
```console
Failregex: 6 total
|- #) [# of hits] regular expression