github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Updated Developing Regex in Fail2ban (markdown)

master
Egbert 2020-09-30 18:58:25 -04:00
parent 2a22e82a9f
commit d3af3ffa07
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Developing-Regex-in-Fail2ban.md

@ -53,8 +53,12 @@ Fail Pattern
------------
After ensuring a success `datepattern` (and optionally the `prefregex`) match, set your `failregex` to a generic pattern of `.+ <HOST>`.
Then watch for `Results` tabulation in your output:
Watch for two things: `Matched FailRegex:` and parts of `Results:` table.
```console
T: Matched FailRegex('query.+(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))')
...
Results
=======
@ -246,17 +250,19 @@ So, do what I do… Make a generic `failregex` in your new local filter config f
```ini
failregex = query.+<HOST>
```
WARNING: Don't make my example into your permanent change because `.+` is evil. Do no evil ... but not during this troubleshooting and development of regex. Just don't forget to have finally replaced all `.+`, `.*` with something staticly-pattern. And also don't forget to ensure that `^` is at the beginning; also to add that `$` at the end, but not now for `$`, as we're developing a working matching pattern here.
WARNING: Don't make my example into your permanent change because `.+` is evil. Do no evil ... but not during this troubleshooting and development of regex. Just don't forget to have finally replaced all `.+`, `.*` with something staticly-pattern.
Notice that there is no '`$`' to catch end-of-line match condition? Well do those `$` lastly because were trying to just match … ANYTHING!
WARNING: And also don't forget to ensure that `^` is at the beginning; also to add that `$` at the end, but not now for `$`, as we're developing a working matching pattern here.
Re-run fail2ban-regex with '`-l HEAVYDEBUG`' and notice the '`T: Matched FailRegex part`':
Notice that there is no '`$`' to catch end-of-line match condition? Well do those `$` lastly as were trying to just match … ANYTHING!
Now, re-run the `fail2ban-regex` with '`-l HEAVYDEBUG`' and look for the '`T: Matched FailRegex part`':
```console
T: Matched FailRegex('query.+(?:(?:::f{4,6}:)?(?P<ip4>(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P<dns>[\\w\\-.^_]*\\w))')
```
Now I am matching SOMETHING!
Notice the convoluted patterns after '`query.+`'? These long patterns represent '`<HOST>`' part. We can safely ignore that for now.
Notice the convoluted patterns after '`query.+`'? These long patterns represent the expanded part of '`<HOST>`' macro. We can safely ignore that for now.
Most importantly, I am MATCHING something that starts with '`^query.+`'! Yippee!
@ -264,7 +270,7 @@ That evil `.+` is only temporary; we'll get rid of that at the end.
GYRATING TOWARD FULL MATCH
==========================
With a working matching pattern (albeit a failed but overly-broad pattern), we can then work toward a full-blown but concise (yet flexible) pattern.
With a working matching pattern (albeit a failed but overly-broad pattern), we can then work toward a the finished `failregex`; a full-blown but concise (yet flexible) pattern.
Lets start by adding more static pattern.