Fail2ban failed to match date format

Question

I'm currently optimizing my fail2ban filter.

Before my regex was this :

<HOST> \- \- \[.*\] \"(GET|POST) .+ HTTP\/\d\.\d\" 40\d \d{2,5} \"(.*)\" \"(.*)\"$

and it was working for every line that contains a 404 error like this :

<HOST> - - [16/Aug/2017:14:02:33 +0200] "GET /favicon.ico HTTP/1.1" 404 6494 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko"

After that I changed the :

\[.*\]

By

\[[0-9]{2}\/.{3}\/[0-9]{4}\:([0-9]{2}\:){2}[0-9]{2} \+[0-9]{4}\]

But now it doesn't match anymore with fail2ban whereas website like regex101 still recognize the correct patern ! (don't mind the \HOST if i didn't put the \ the word was not appearing).

I tried to change \d by [0-9] / by \/ : by \: Fail2ban always miss the lines and I don't know why..

Is someone having the same problem ? thanks ! :)

Answer 1

Likely the the only pattern needed is: <HOST> .* 404 This should be tested against actual logs. The fail2ban-regex command line utility is very useful for testing.

Note that there would possibly be false positives, so it would be easier to move the response code after the host, and then have the date/time after that, in which case ^<HOST> 404 would be more precise.

Regarding performance, it seems this would be less error prone, and as fast if not faster than the much longer. See the second link below regarding filter performance tips.

• https://www.fail2ban.org/wiki/index.php/MANUAL_0_8
• http://fail2ban.readthedocs.io/en/latest/filters.html

Answer 2

You need to escape the last + and the trailing ]

\[[0-9]{2}/.{3}/[0-9]{4}:([0-9]{2}:){2}[0-9]{2} \+[0-9]{4}\]

Also, possibly, the forward slashes / - depending on that particular regex interpreter.