Reputation: 439
Convert log string into regex for fail2ban
I'm having trouble in converting a log string related to a VNC server and client interaction, so that I can ban certain IPs with the use of fail2ban.
The problematic string in the logs of the VNC is the following:
** (vino-server:28986): WARNING **: 01:02:54.300: VNC authentication failure from '888.88.9.999.dynamic.whatever.net'
That is the exact string I need to match (with all the parenthesis, asterisks...), with obviously telling the fail2ban following command where the host is.
WHAT I HAVE TRIED SO FAR:
Command to do checks: fail2ban-regex "log line" "failregex"
fail2ban-regex "00:19:51.297: VNC authentication failure from 'server-185-153-197-251.cloudedic.net'" "VNC authentication failure from '<HOST>'"
It works; but the log line string is not the same as in the logs.
When using the exact log line, I fail constantly:
fail2ban-regex "** (vino-server:11241): WARNING **: 00:19:51.297: VNC authentication failure from 'server-185-153-197-251.cloudedic.net'" "authentication failure from '<HOST>'"
Is it something related to not understanding how the failregex expression should be put?
Is it something associated with having special characters within the log file?
Is it any error that I have made with the strings?
If you could help me to go in the right direction I would appreaciate it so much, so that I can get to understand more about regex and be able to secure the systems.
Upvotes: 0
Views: 1133
Answers (1)
Reputation: 820
This has basically nothing with regex, more it is fail2ban thing - to avoid confusion with expected data, several of its default datepattern's are "anchored" to begin of line (especially simplest time, like your format), so you've to specify your own datepattern for that.
This should work for you:
msg="** (vino-server:11241): WARNING **: 00:19:51.297: VNC authentication failure from 'server-185-153-197-251.cloudedic.net'"
fail2ban-regex -d '\s%H:%M:%S\.%f:' "$msg" "authentication failure from '<HOST>'"
Note that fail2ban will cut out the part of message matching datepattern before failregex search would start, so ahead anchored failregex for your log-excerpt looks like:
fail2ban-regex -d '\s%H:%M:%S\.%f:' "$msg" "^\*\* \(\S+\): WARNING \*\*: VNC authentication failure from '<HOST>'"
Also note that in fail2ban config files you've to specify %-char using %%, so it'd look like this:
datepattern = \s%%H:%%M:%%S\.%%f:
Upvotes: 1
Related Questions
- Regexp for fail2ban (for xrdp.log)
- Fail2Ban how to match any string
- Fail2ban regex doesn't match (no sense!)
- How to make fail2ban failregex work (problem with ".*" ?)?
- No matches in fail2ban regex
- fail2ban custom filter on multiline
- Create fail2ban custom rule for Apache2
- Fail2Ban regex where IP is on one line and failure message on another
- fail2ban regex pattern for apache logs
- Fail2ban rules not working