adjuzy
Reputation: 581
No matches in fail2ban regex
I am using fail2ban to try and block any IP that gets multiple failed logins, a failed login is recorded in our application log as "/login.html?success=no".
So I have created a fail2ban .conf, but I can't get it to find any matches, however when I use this site, it highlights the line fine. My .conf looks like so:
[Definition]
failregex = .*<HOST>.*login\.html\?success=no
ignoreregex =
But when I run "fail2ban-regex" to test it, it doesn't find any matches:
fail2ban-regex test.log /etc/fail2ban/filter.d/nginx-test.conf
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
The log file I am using looks like:
| 2017/10/03 10:11:53 [error] 14870#14870: *51 access forbidden by rule, client: 1.2.3.4, server: example.com, request: "GET /robots.txt HTTP/1.1", host: "example.com"
| 2017/10/03 10:11:53 [warn] 14870#14870: *50 delaying request, excess: 0.545, by zone "base", client: 1.2.3.4, server: example.com, request: "GET /login.html?success=no HTTP/1.1", host: "example.com", referrer: "https://example.com/"
Upvotes: 1
Views: 1215
Answers (1)
adjuzy
Reputation: 581
My regex needed to be:
.*client: <HOST>.*request: "GET \/login\.html\?success=no HTTP/1.1"
Thanks to @melpomene for pointing me in the right direction, my <HOST> wasn't even pointing at the IP.
Upvotes: 1
Related Questions
- Fail2Ban how to match any string
- Fail2ban regex doesn't match (no sense!)
- failregex misses entries
- Understanding fail2ban test output when running fail2ban-regex on Nginx
- How to make fail2ban failregex work (problem with ".*" ?)?
- Regular Expression does not match test string
- Fail2ban failed to match date format
- why does fail2ban not match script not found
- fail2ban regex nested or bug?
- Fail2ban rules not working