Forwarded-upstream: https://github.com/fail2ban/fail2ban/pull/689
Thank you James, I thought that it might be better just to use '[^0-9]<ip>\([^0-9]\|$\)' to avoid requiring having egrep (not sure if all other distros/osx would have it) On Mon, 14 Apr 2014, James Bottomley wrote: > Package: fail2ban > Version: 0.8.13-1 > Severity: normal > The regular expression for reporting the actual falining lines in > sendmail-whois-lines.conf does not match the ban lines by recidive in > fail2ban.log. The reason is that the IP address appears at the end of > the line, so the grep > grep '[^0-9]<ip>[^0-9]' <logpath> > Does not match (end of line is not a matchable character). The fix is > to use an extended grep matching either not numeric or end of line: > egrep '[^0-9]<ip>([^0-9]|$)' <logpath> > -- System Information: > Debian Release: jessie/sid > APT prefers testing > APT policy: (500, 'testing'), (500, 'stable') > Architecture: i386 (i686) > Kernel: Linux 3.13-1-686-pae (SMP w/1 CPU core) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Versions of packages fail2ban depends on: > ii lsb-base 4.1+Debian12 > pn python:any <none> > Versions of packages fail2ban recommends: > ii iptables 1.4.21-1 > pn python-pyinotify <none> > ii whois 5.1.1 > Versions of packages fail2ban suggests: > ii bsd-mailx [mailx] 8.1.2-0.20131005cvs-1 > ii mailutils [mailx] 1:2.99.98-1.1 > ii mailx 1:20081101-2 > pn python-gamin <none> > ii rsyslog [system-log-daemon] 7.6.3-1 > -- Configuration Files: > /etc/fail2ban/action.d/iptables-allports.conf changed: > [INCLUDES] > before = iptables-blocktype.conf > [Definition] > actionstart = iptables -N fail2ban-<name> > iptables -A fail2ban-<name> -j RETURN > iptables -I <chain> -p <protocol> -j fail2ban-<name> > actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> > iptables -F fail2ban-<name> > iptables -X fail2ban-<name> > actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' > actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> > actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> > [Init] > name = default > protocol = all > chain = INPUT > /etc/fail2ban/action.d/sendmail-whois-lines.conf changed: > [INCLUDES] > before = sendmail-common.conf > [Definition] > actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n` > Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` > From: <sendername> <<sender>> > To: <dest>\n > Hi,\n > The jail <name> has been started successfully.\n > Regards,\n > Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest> > actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n` > Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` > From: <sendername> <<sender>> > To: <dest>\n > Hi,\n > The jail <name> has been stopped.\n > Regards,\n > Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest> > actioncheck = > actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname > -n` > Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` > From: <sendername> <<sender>> > To: <dest>\n > Hi,\n > The IP <ip> has just been banned by Fail2Ban after > <failures> attempts against <name>.\n\n > Here is more information about <ip>:\n > `/usr/bin/whois <ip> || echo missing whois program`\n\n > Lines containing IP:<ip> in <logpath>\n > `egrep '[^0-9]<ip>([^0-9]|$)' <logpath>`\n\n > Regards,\n > Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest> > actionunban = > [Init] > name = default > logpath = /dev/null > /etc/fail2ban/filter.d/asterisk.conf changed: > [INCLUDES] > before = common.conf > [Definition] > _daemon = asterisk > __pid_re = (?:\[\d+\]) > log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in > \w+:)? > failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from > '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name > mismatch|No matching peer found|Not a local domain|Device does not match > ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local > domain)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' > \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in > context '.*'\.$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to > authenticate as '[^']*'$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for > peer '[^']*' \(from <HOST>\)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 > authentication for '[^']*' \([^)]+\)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate > (user|device) [^@]+@<HOST>\S*$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s > (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) > \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s > SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ > > ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: > "Rejecting unknown SIP connection from <HOST>"$ > ignoreregex = > -- no debconf information -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Senior Research Associate, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
