Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not

Wed, 19 Apr 2023 09:21:42 -0700 


-------- Original Message --------
*Subject: *  Re: [Fail2ban-users] fail2ban-regex maches, but fail2ban does not
*From: *     Darac Marjal <mailingl...@darac.org.uk>
*To: *         Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*CC: *
*Date: *      2023-4-17  04:06 PM

You might be running into escaping problems here. For instance, if you wanted to match a single character of 
whitespace, regex101.com would tell you it's '\s'. However, if you pass this to fail2ban-regex on the command line, 
you'd find that it doesn't match. That's because the shell sees the backslash first (before failt2ban-regex) and 
interprets \s as a special character. To be safe, you'd have to write '\\s' on the command line (the first backslash 
escapes the second backslash and so fail2ban-regex actually sees the two characters of "\" and "s").



For this reason, it is safer to pass either a filename or a filter name to the REGEX argument of fail2ban-regex. This 
way, you're avoiding any shell-escaping issues AND the file that you end up testing SHOULD be read by fail2ban in the 
same way as fail2ban-regex (if not, raise a bug report?)



Yes I run the fail2ban-regex against the file.

Here is a test:

Fail2Ban v0.10.2


#*******


[testing]
enabled = true
port     = smtp,submission
logpath = /var/log/fail2ban-jail-testing.log
maxretry = 1
findtime  = 7776000
bantime = 86400
# Used for testing and or running against older logs

#******



#******
cat > /etc/fail2ban/filter.d/testing.conf << "EOF"
# Use this for testing different jail config settings without having to mess up 
other jail configs.

[Init]
badbots = rejected: not logged in|rejected due to: SPF|rejected: cannot find 
your hostname


[Definition]
failregex = postfix.+\[<HOST>\]:.+(<badbots>)


ignoreregex =


EOF



#******



echo "" > /var/log/fail2ban-jail-testing.log
fail2ban-client reload


#******

cat >> /var/log/fail2ban-jail-testing.log << "EOF"

Apr 17 00:13:04 server1 postfix/smtpd[5853]: NOQUEUE: reject: RCPT from unknown[112.66.247.192]: 550 5.7.25 Client host 
rejected: cannot find your hostname, [112.66.247.192]; from=<luyfgy...@jdt.com> to=<i...@waynesallee.com> proto=ESMTP 
helo=<jdt.com>
Apr 17 08:38:43 server1 postfix/smtpd[16270]: NOQUEUE: reject: RCPT from unknown[201.231.6.140]: 550 5.7.23 
<aqainservidormail4...@gmx.net>: Sender address rejected: Message rejected due to: SPF fail - not authorized. Please see 
http://www.openspf.net/Why?s=mfrom;id=aqainservidormail4...@gmx.net;ip=201.231.6.140;r=<UNKNOWN>; 
from=<aqainservidormail4...@gmx.net> to=<wa...@waynesallee.com> proto=ESMTP helo=<18-6-231-201.fibertel.com.ar>
Apr 16 03:01:25 server1 postfix/smtpd[7517]: NOQUEUE: reject: RCPT from unknown[192.3.195.171]: 550 5.7.25 Client host 
rejected: cannot find your hostname, [192.3.195.171]; from=<jess...@funguselixirs.life> to=<wa...@waynespets.com> 
proto=ESMTP helo=<x86aw0.funguselixirs.life>
Apr 16 08:59:23 server1 postfix/smtpd[18038]: NOQUEUE: reject: RCPT from unknown[103.38.102.226]: 550 5.7.23 
<sa...@waynesallee.com>: Sender address rejected: Message rejected due to: SPF fail - not authorized. Please see 
http://www.openspf.net/Why?s=mfrom;id=sa...@waynesallee.com;ip=103.38.102.226;r=<UNKNOWN>; from=<sa...@waynesallee.com> 
to=<sa...@waynesallee.com> proto=ESMTP helo=<ip-103.38.102.226.laxo.net.id>
Apr 16 09:00:34 server1 postfix/smtpd[18038]: NOQUEUE: reject: RCPT from unknown[103.38.102.226]: 550 5.7.23 
<sa...@waynesallee.com>: Sender address rejected: Message rejected due to: SPF fail - not authorized. Please see 
http://www.openspf.net/Why?s=mfrom;id=sa...@waynesallee.com;ip=103.38.102.226;r=<UNKNOWN>; from=<sa...@waynesallee.com> 
to=<sa...@waynesallee.com> proto=ESMTP helo=<ip-103.38.102.226.laxo.net.id>
Apr 16 09:36:52 server1 postfix/smtpd[19475]: NOQUEUE: reject: RCPT from unknown[61.160.195.39]: 550 5.7.25 Client host 
rejected: cannot find your hostname, [61.160.195.39]; from=<kbml...@gmail.com> to=<wayneacont...@waynesallee.com> 
proto=ESMTP helo=<mail.lshou.com>
Apr 16 11:00:07 server1 postfix/smtpd[25927]: NOQUEUE: reject: RCPT from unknown[190.232.178.104]: 553 5.7.1 
<wa...@waynesallee.com>: Sender address rejected: not logged in; from=<wa...@waynesallee.com> to=<wa...@waynesallee.com> 
proto=ESMTP helo=<[190.232.178.104]>
Apr 16 12:34:19 server1 postfix/smtpd[27334]: NOQUEUE: reject: RCPT from unknown[50.3.238.76]: 550 5.7.25 Client host 
rejected: cannot find your hostname, [50.3.238.76]; from=<news@ketolife.click> to=<wa...@waynesallee.com> proto=ESMTP 
helo=<ketolife.click>

EOF

#******


#******
fail2ban-regex /var/log/fail2ban-jail-testing.log 
/etc/fail2ban/filter.d/testing.conf

Lines: 8 lines, 0 ignored, 8 matched, 0 missed


#*****
tail -F -n 100 /var/log/fail2ban.log

2023-04-19 11:13:58,417 fail2ban.server         [3824]: INFO Reload finished.

Never anything about test.

#*****



Wayne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to