Join Log in
Score:0
8bit avatar Server

Create own filter for fail2ban fails

kr flag
8bit

I'm playing around with fail2ban in kubernetes. For that I created a pod that creates fake log messages: 2021-08-04 18:33:13 Authentication failed 15.15.15.15 I created a custom filter, to test if fail2ban is working. I first tried the fail2ban-regex util with a file containing 10 lines of these log messages and got this output:

Running tests
=============

Use   failregex filter file : test, basedir: /etc/fail2ban
Use         log file : /logs.txt
Use         encoding : UTF-8


Results
=======

Failregex: 10 total
|-  #) [# of hits] regular expression
|   1) [10] \sAuthentication failed\s<HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [10] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 10 lines, 0 ignored, 10 matched, 0 missed
[processed in 0.12 sec]

but when I then try the same filter against the file, that contains the continually logs, I get this error:

Running tests
=============

Use   failregex filter file : test, basedir: /etc/fail2ban
Use         log file : /logs/kubernetes.logs
Use         encoding : UTF-8

Traceback (most recent call last):
 File "/usr/bin/fail2ban-regex", line 34, in <module>
   exec_command_line()
 File "/usr/lib/python3.8/site-packages/fail2ban/client/fail2banregex.py", line 836, in exec_command_line
   if not fail2banRegex.start(args):
 File "/usr/lib/python3.8/site-packages/fail2ban/client/fail2banregex.py", line 776, in start
   self.process(test_lines)
 File "/usr/lib/python3.8/site-packages/fail2ban/client/fail2banregex.py", line 584, in process
   line_datetimestripped, ret, is_ignored = self.testRegex(line)
 File "/usr/lib/python3.8/site-packages/fail2ban/client/fail2banregex.py", line 456, in testRegex
   found = self._filter.processLine(line, date)
 File "/usr/lib/python3.8/site-packages/fail2ban/server/filter.py", line 613, in processLine
   timeMatch = self.dateDetector.matchTime(line)
 File "/usr/lib/python3.8/site-packages/fail2ban/server/datedetector.py", line 368, in matchTime
   (line[distance] == self.__lastPos[2] and not self.__lastPos[2].isalnum())
IndexError: string index out of range

And when I activate the filter for fail2ban, there i no ip banned, so I think, my filter isn't working, but I cannot find the mistake.

filter.conf:

[Definition]

failregex = \sAuthentication failed\s<HOST>
334
1 + 1
djdomi avatar
za flag
djdomi
i think it was already answered by [Stackoverflow](https://stackoverflow.com/questions/56158596/how-to-use-fail2ban-under-kubernetes)
0
Reply
Score:0
sebres avatar Server
il flag
sebres

This is known bug (already fixed in-between), see https://github.com/fail2ban/fail2ban/issues/3020

But the actual reason is unprecise datepattern and either an incomplete timestamp (matching by default datepattern set) or some line without timestamp at all. The solution would be either an update or (better) a precise datepattern as possible and in best case anchored at begin (or end).

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.