Re: fail2ban regex

To: debian-user-french@lists.debian.org
Subject: Re: fail2ban regex
From: BERTRAND Joël <joel.bertrand@systella.fr>
Date: Fri, 1 May 2020 10:06:16 +0200
Message-id: <[🔎] 06ea99dd-949e-ee25-9c82-6f212e40bfc5@systella.fr>
In-reply-to: <[🔎] 20200501072503.GA3214@bubu.plessy.net>
References: <29494dc9-c07c-8ea7-783d-e3d472fac08b@systella.fr> <d9c04ee2-9238-c9d9-835a-e655261b8c57@proofpoint.com> <d344b168-eda0-f3ee-0c6c-e2a31ba18c79@systella.fr> <[🔎] 20200501072503.GA3214@bubu.plessy.net>

Charles Plessy a écrit :
> Le Thu, Apr 30, 2020 at 12:01:36PM +0200, BERTRAND Joël a écrit :
>>
>> 	Parce que le type est borné, que ça fait des jours que ça dure et que
>> l'IP change régulièrement. Par ailleurs, fail2ban est fait pour cela et
>> j'ai autre chose à faire que de surveiller /var/log/syslog.
> 
> Bonjour Joël,
> 
> as-tu essayé la cellule "récidive" de fail2ban ?
> 
> Amicalement,

	Bonjour,

	Oui, naturellement. Sauf que dans mon cas, ça ne fonctionne pas parce
que le filtre sur TLS ne fonctionne pas.

	Aujourd'hui, mon filtre est le suivant :
_daemon = (?:courier)?(?:imapd?|pop3d?)-ssl?

failregex = ^%(__prefix_line)s.*ip=\[<HOST>\], An unexpected TLS packet
was received.$

qui ne fonctionne pas. La partie failregex toute seule donne quelque
chose si je retire "^%(__prefix_line)s.*" :


fail2ban-regex /var/log/syslog "ip=\[<HOST>\], An unexpected TLS packet
was received.$"
...
Lines: 73005 lines, 0 ignored, 6 matched, 72999 missed
[processed in 2.80 sec]

Mais fail2ban rajoute une en-tête :fail2ban-client get courier-tls failregex
The following regular expression are defined:
`- [0]:
ip=\[(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))\],
An unexpected TLS packet was received.$
et là, ça ne fonctionne plus.

Mais sans le retrait de ^%(__prefix_line)s.*, cela ne donne strictement
rien :

Root rayleigh:[/var/lib/iptables] > fail2ban-client get courier-tls
failregex
The following regular expression are defined:
`- [0]: ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[
*\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(?:courier)?(?:imapd?|pop3d?)-ssl?(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:courier)?(?:imapd?|pop3d?)-ssl?(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID
\d+
\S+\]\s+)?.*ip=\[(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))\],
An unexpected TLS packet was received.$
Root rayleigh:[/var/lib/iptables] > fail2ban-regex /var/log/syslog "[0]:
^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[
*\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(?:courier)?(?:imapd?|pop3d?)-ssl?(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:courier)?(?:imapd?|pop3d?)-ssl?(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID
\d+
\S+\]\s+)?.*ip=\[(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))\],
An unexpected TLS packet was received.$"

Running tests
=============

Use   failregex line : [0]: ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)...
Use         log file : /var/log/syslog
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [72942] {^LN-BEG}(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 72942 lines, 0 ignored, 0 matched, 72942 missed
[processed in 2.80 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all
72942 lines

Reply to:

References:
- Re: fail2ban regex
  - From: Charles Plessy <plessy@debian.org>

Prev by Date: Re: fail2ban regex
Next by Date: Re: fail2ban regex
Previous by thread: Re: fail2ban regex
Next by thread: Re: fail2ban regex
Index(es):
- Date
- Thread