[email protected]
[Top] [All Lists]

Bug#491253: marked as forwarded (fail2ban: all regexes fail)

Subject: Bug#491253: marked as forwarded fail2ban: all regexes fail
From: Debian Bug Tracking System
Date: Fri, 18 Jul 2008 02:18:03 +0000
Your message dated Thu, 17 Jul 2008 22:15:53 -0400
with message-id <[email protected]>
has caused the   report #491253,
regarding fail2ban: all regexes fail
to be marked as having been forwarded to the upstream software
author(s) Andrew Schulman <[email protected]>, Cyril Jaquier 
<[email protected]>

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]

491253: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491253
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Subject: Re: Bug#491253: fail2ban: all regexes fail
From: Yaroslav Halchenko
Date: Thu, 17 Jul 2008 22:15:53 -0400
seems to be a problem of unknown time format... unknown for
auto-detection, so you would need to craft regex for it + time
definition for python's time. Or just wait for upstream to follow-up (I
am CCing Cyril)

I am trying with fail2ban-regex, and  there is  also imho a bit wrong
logic. It seems to don't even report a match for failregex now if
datestamp is not recognized:

        def processLine(self, line):
                        # Decode line to UTF-8
                        l = line.decode('utf-8')
                except UnicodeDecodeError:
                        l = line
                timeMatch = self.dateDetector.matchTime(l)
                if not timeMatch:
                        # There is no valid time in this line
                        return []

On Thu, 17 Jul 2008, Andrew Schulman wrote:

> Package: fail2ban
> Version: 0.8.2-3
> Severity: important

> Hi.  I'm trying to develop a new filter rule for SSL Explorer.  A
> typical authentication failure in
> /opt/sslexplorer/logs/sslexplorer.log looks like this:

> 17-07-2008 17:23:25 [main-6] ERROR LogonAction - [] 
> authentication failed

> Seems simple enough to match:

> failregex = \[<HOST>\] authentication failed

> But neither this, nor in fact any other regex that I can think to try
> so far, works.  All of the following result in 'Sorry, no match':

> line='17-07-2008 17:23:25 [main-6] ERROR LogonAction - [] 
> authentication failed'
> fail2ban-regex "$line" '\[<HOST>\]'
> fail2ban-regex "$line" '^.*\[<HOST>\]'
> fail2ban-regex "$line" '<HOST>'

> In fact, AFAICT all regexes fail in all cases:  even

> fail2ban-regex '' '(?P<host>.*)'

> results in 'Sorry, no match' on my host.

> At this point I'm completely out of ideas about what I'm doing wrong
> or how to makes any regexes match.  Any help would be greatly
> appreciated.

> Thanks,
> Andrew.

> -- System Information:
> Debian Release: lenny/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (300, 'unstable'), (200, 'stable'), (1, 
> 'experimental')
> Architecture: amd64 (x86_64)

> Kernel: Linux 2.6.24 (SMP w/2 CPU cores; PREEMPT)
> Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) (ignored: LC_ALL set 
> to en_US)
> Shell: /bin/sh linked to /bin/bash

> Versions of packages fail2ban depends on:
> ii  lsb-base                      3.2-12     Linux Standard Base 3.2 init 
> scrip
> ii  python                        2.5.2-1    An interactive high-level 
> object-o
> ii  python-central                0.6.7      register and build utility for 
> Pyt

> Versions of packages fail2ban recommends:
> ii  iptables                      1.4.0-1    administration tools for packet 
> fi
> ii  whois                         4.7.26     the GNU whois client

> -- no debconf information

Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        

--- End Message ---
<Prev in Thread] Current Thread [Next in Thread>
  • Bug#491253: marked as forwarded (fail2ban: all regexes fail), Debian Bug Tracking System <=