Gretta Keldermann
Reputation: 33
Fail2ban regex doesn't match (no sense!)
Here's a log:
[1617620801] [0.0042] [domain.com] [#5006616] [269] [3] [(ip removed)] [403] [GET] [/study/index.php] [SQL injection] [hex:4745543a61203d203b2044524f50205441424c45203c]
[1617621606] [0.00205] [domain.com] [#2926762] [0] [2] [(ip removed)] [403] [POST] [hex:2f786d6c7270632e706870]
My regex has the following pattern:
failregex = \[.*] \[.*] \[.*] \[.*] \[.*] \[(3)] \[<HOST>] \[.*] \[.*] \[.*]
However, if I change the \[3] to \[2] it can find the second one. If I change it to \[.*] it finds both of them.
Regex testing websites show that it is supposed to work. I have no idea why it doesn't find the [3]!
Upvotes: 0
Views: 156
Answers (1)
Wiktor Stribiżew
Reputation: 626804
Correct, it won't wiork due to catastrophic backtracking.
You need to
- Replace all
\[.*]with\[[^][]*] - In case there can be more than one space between
[...], use+or\s+instead of literal spaces.
You can use something like
\[[^][]*]\s+\[[^][]*]\s+\[[^][]*]\s+\[[^][]*]\s+\[[^][]*]\s+\[(3)]\s+\[<HOST>]\s+\[[^][]*]\s+\[[^][]*]\s+\[[^][]*]
See the regex demo.
Upvotes: 1
Related Questions
- Fail2Ban how to match any string
- failregex misses entries
- Understanding fail2ban test output when running fail2ban-regex on Nginx
- How to make fail2ban failregex work (problem with ".*" ?)?
- No matches in fail2ban regex
- Regular Expression does not match test string
- why does fail2ban not match script not found
- fail2ban regex nested or bug?
- Fail2Ban regex where IP is on one line and failure message on another
- Fail2ban rules not working