Hi all, I checked the GitHub and asked on IRC (nobody around at the time) and couldn't find anything like this. I'm running fail2ban 0.9.3 on Fedora 24, Python 2.7.11/3.5.1, trying to check Nginx error logs for bots. Here's the line:
$ line='2016/07/05 23:10:26 [error] 2359#0: *21 open()
"/usr/share/nginx/html/wallpaper/technology/Rendered-Blue-Cubes-iPad-Wallpaper/1657"
failed (2: No such file or directory), client: 198.143.46.17, server: _,
request: "GET
/wallpaper/technology/Rendered-Blue-Cubes-iPad-Wallpaper/1657 HTTP/1.1",
host: "www.appleipadwallpapers.com"'
Here's the regex:
$ regex='^.*<HOST>.*$'
This should be the most permissive possible regex on fail2ban, right?
But here's the output of fail2ban-regex:
$ fail2ban-regex "$line" "$regex"
Running tests
=============
Use failregex line : ^.*<HOST>.*$
Use single line : 2016/07/05 23:10:26 [error] 2359#0: *21 open() "/u...
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] Year(?P<_sep>[-/.])Month(?P=_sep)Day
24hour:Minute:Second(?:,Microseconds)?
`-
Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.02 sec]
|- Missed line(s):
| 2016/07/05 23:10:26 [error] 2359#0: *21 open()
"/usr/share/nginx/html/wallpaper/technology/Rendered-Blue-Cubes-iPad-Wallpaper/1657"
failed (2: No such file or directory), client: 198.143.46.17, server: _,
request: "GET
/wallpaper/technology/Rendered-Blue-Cubes-iPad-Wallpaper/1657 HTTP/1.1",
host: "www.appleipadwallpapers.com"
`-
(I'm new to fail2ban and I was worried my timestamp might have been
nonstandard, but does the bit under "Date template hits" mean that I'm
in the clear there?) By the way, fail2ban-testcases fails a few tests
related to this:
Regex for filter 'nginx-botsearch' has no samples: 2: '^\\[error\\]
\\d+#\\d+: \\*\\d+ \\S+\\(\\) \\"\\S+\\" (failed|is not found) \\(2\\:
No such file or directory\\), client\\:
(?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w)\\, server\\: \\S*\\, request:
\\"(GET|POST|HEAD) \\/\\S+ \\S+\\"\\, .*?$'
Regex for filter 'nginx-http-auth' has no samples: 1: '^ \\[error\\]
\\d+#\\d+: \\*\\d+ no user/password was provided for basic
authentication, client: (?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w), server:
\\S+, request: "\\S+ \\S+ HTTP/\\d+\\.\\d+", host: "\\S+"\\s*$'
and so forth. Don't know if this specifically is relevant, but thought
I'd mention it. Thanks all.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
