Fail2Ban regex does not match -
i'm using fail2ban. reason fail2ban refuse compile regex. here logs need match:
root@server1:/etc/fail2ban/filter.d# tail /var/log/apache2/error.log [sun apr 20 10:40:05 2014] [error] [client 75.144.181.151] user root: authentication failure "/phpmyadmin/": password mismatch [sun apr 20 10:40:16 2014] [error] [client 75.144.181.151] user root: authentication failure "/phpmyadmin/": password mismatch [sun apr 20 10:40:38 2014] [error] [client 75.144.181.151] user haker not found: /phpmyadmin/ [sun apr 20 10:40:44 2014] [error] [client 75.144.181.151] user pentest not found: /phpmyadmin/
and here fail2ban filter.d file:
root@server1:/etc/fail2ban/filter.d# cat /etc/fail2ban/filter.d/phpmyadmin.conf [definition] failregex = [client <host>;] user .*; not found: \/phpmyadmin\/|[client <host>;] user root: authentication failure "\/phpmyadmin\/": ignoreregex =
here regex line file above:
[client <host>;] user .*; not found: \/phpmyadmin\/|[client <host>;] user root: authentication failure "\/phpmyadmin\/":
unfortunately fail2ban log file giving me error regex: unable compile regular expression..
root@server1:/etc/fail2ban# tail /var/log/fail2ban.log 2014-04-20 10:47:06,788 fail2ban.filter : info added logfile = /var/log/apache2/error.log 2014-04-20 10:47:06,789 fail2ban.filter : info set maxretry = 3 2014-04-20 10:47:06,789 fail2ban.filter : info set findtime = 600 2014-04-20 10:47:06,790 fail2ban.actions: info set bantime = 600 2014-04-20 10:47:06,790 fail2ban.filter : error unable compile regular expression '[client (?:::f{4,6}:)?(?p<host>[\w\-.^_]+);] user .*; not found: \/phpmyadmin\/|[client (?:::f{4,6}:)?(?p<host>[\w\-.^_]+);] user root: authentication failure "\/phpmyadmin\/":' 2014-04-20 10:47:06,794 fail2ban.jail : info jail 'ssh' started 2014-04-20 10:47:06,799 fail2ban.jail : info jail 'pureftpd' started 2014-04-20 10:47:06,805 fail2ban.jail : info jail 'phpmyadmin' started
my regex http://regex101.com/r/ku7tx3. wrong this? appreciated. thank you.
i have asked question in comment cannot add comment:
so trying best understand requirement , giving answer.
requirement: think looking filter lines containing "authentication failure "/phpmyadmin/""
you can changing regular expression following:
failregex = .*authentication failure "\/phpmyadmin\/"
you may have escape "
please add comments if wasn't correct understanding.....
Comments
Post a Comment