Re: Fail2Ban and custom rules - regex inconsistency?
On Mon, 20 Dec 2010 14:40:13 +0000, Avi Greenbury wrote:
(...)
> So I've created a /etc/fail2ban/filter.d/adminpages.conf which contains:
>
> [Definition]
> #_daemon = apache
>
> # Option: failregex
> # Notes.:Regex to match Gary's logging script. # Values: TEXT
>
> failregex =" - <HOST>$"
> ignoreregex =
>
> But when I test this file against the log file:
>
> # fail2ban-regex log.txt /etc/fail2ban/filter.d/adminpages.conf
> Sorry, no match
>
> I've tried the regex in single quotes, double quotes and with no quotes
> at all, and they never match in that file. I'm assuming I've got
> something quite elementary wrong, but I can't work out what. I'm hoping
> one of you will be able to tell me what it is.
This is what fail2ban "README.Debian" file tells:
***
Upgrade from 0.6 versions:
-------------------------
* New Config Files Format:
If you had introduced your own sections in /etc/fail2ban.conf, you
would need manually to convert them into a new format. At minimum you
need to create /etc/fail2ban/filter.d/NAME.local (leave .conf files
for me and upstream please to avoid any conflicts -- introduce your
changes in .local) with failregex in [Definition] section. And provide
appropriate jail definition in /etc/fail2ban/jail.local
***
So, what I understand from the above stanza is that:
- User created files should be named "whatever.local" ("adminpages.local")
- It seems you need to add something at "jail.local" file, maybe to
enable the new filter rule :-?
Can't tell you more, just what the doc says :-)
Greetings,
--
Camaleón
Reply to: