Reputation: 841
fail2ban <HOST> regex alias explanation
I've set up fail2ban to protect a host, and I've noticed this piece of information
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>:.*" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
How does the (?:::f{4,6}:)?(?P<host>\S+) regex work? I've been trying it in a few different regex checkers and explainers and none could parse it, at least the (?P<host>\S+) part.
Upvotes: 6
Views: 6505
Answers (2)
Reputation: 41838
It can match strings like ::ffff:The_Host, but the ::ffff: part is optional. The part The_Host part is captured to a capture group called host.
If there are more than 6 f letters, the whole thing becomes the host!
In the demo, you can see some matches. In the right pane, you can see the capture groups for each match.
Upvotes: 3
Reputation: 3768
(?P<name>regex)
Captures the text matched by "regex" into the group "name". The name can contain letters and numbers but must start with a letter.
http://www.regular-expressions.info/refext.html
(?:::f{4,6}:)?(?P<host>\S+)
Upvotes: 2
Related Questions
- Fail2ban regex doesn't match (no sense!)
- failregex misses entries
- Understanding fail2ban test output when running fail2ban-regex on Nginx
- How to make fail2ban failregex work (problem with ".*" ?)?
- Trying to block visitors using regex on fail2ban
- No matches in fail2ban regex
- fail2ban regex nested or bug?
- Create fail2ban custom rule for Apache2
- Fail2Ban regex where IP is on one line and failure message on another
- fail2ban regex pattern for apache logs