How to make fail2ban failregex work (problem with ".*" ?)?

Question

I'd like to ban via fail2ban anyone generating both these type of lines in my nginx error.log file :

2019/12/15 20:12:12 [error] 640#640: *6 open() "/data/xxxxxx.com/www/50x.html" failed (2: No such file or directory), client: 35.187.45.148, server: xxxxxx.com, request: "GET /external.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock", host: x.x.x.x

2019/12/16 13:42:59 [crit] 647#647: *41 connect() to unix:/var/run/php5-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 35.233.78.55, server: xxxxxx.com, request: "GET /external.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "x.x.x.x"

I thought these lines would work :

open() .* client: < HOST >

connect() to .* client: < HOST >

But they apparently don't (tested with fail2ban-regex). Here's my complete filter :

[Definition]
failregex = open() .* client: < HOST >  
            connect() to .* client: < HOST >   
            FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: < HOST >

datepattern = {^LN-BEG}

Note : the last one (FastCGI...) does work. Would something be wrong with ".*" ?

Answer 1

Parentheses () are both regex metacharacters, meaning they have a special meaning in regex. For example, here is what your first regex is actually matching:

open .* client:

That is, the () are actually a zero-width capture group, and so are the same as matching nothing at all. Since you are trying to match open followed by a space, therefore you are failing to get a match. Here is the corrected version:

[Definition]
failregex = open\(\) .* client: < HOST >  
            connect\(\) to .* client: < HOST >   
            FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: < HOST >

datepattern = {^LN-BEG}

Note that if we want to match literal parentheses, we should escape them with backslash.