Hello, I upgraded from Debian Wheezy to Jessie (now fail2ban 0.8.13-1) and I think there is a bug in the __prefix_line regex. I made my own firewall using iptables that logs to /var/log/kern.log. This is an example log line:
Jan 9 11:06:43 s4 kernel: [99466.373996] [MYFW BLOCK] IN=eth0 OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:08:00 SRC=151.233.114.18 DST=172.31.1.100 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=25951 PROTO=TCP SPT=32410 DPT=7547 WINDOW=5840 RES=0x00 SYN URGP=0 and this is my regex to match that line: failregex = ^%(__prefix_line)s\[MYFW BLOCK] IN=eth0 .* SRC=<HOST> In the Wheezy version (0.8.6-3wheezy3) the match was ok. In Jessie this does not work. The difference is in common.conf: Wheezy: __prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s* Jessie: __prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s* As a workaround I created a common.local with the old prefix_line. -- Mit besten Grüßen Jochen Fahrner ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
