Join Log in
Score:1
avatar Server

Creating a custom filter for fail2ban

cn flag
KacperNoe

I'm trying to create a custom jail and filter in fail2ban for motion stream http authentication. The log directory is /var/log/motion/motion.log and a failed login attempt generates:

[0:ml1] [ALR] [STR] [Nov 02 16:47:57] handle_basic_auth: motion-stream - failed auth attempt from 192.168.0.65

My custom jail in /etc/failban/jail.local looks like this:

[motion-auth]

enabled = true
port     = 8010
filter = motion-auth.conf
logpath  = /var/log/motion/motion.log
banaction = %(banaction_allports)s
maxretry = 3
findtime = 10800
bantime = 259200

And my motion-auth.conf file in /etc/failban/filter.d/ looks like this:

[INCLUDES]
before = common.conf
[Definition]
_pref_line = ^%(__prefix_line)s(?:\d+-\d+-\d+ \d+:\d+:\d+\.\d+)?
failregex = [0:ml1] [ALR] [STR] .* handle_basic_auth: motion-stream - failed auth attempt from <HOST>

I'm having trouble writing the failregex in the filter file. Can anyone help me with it?

342
0 + 0
cn flag
hardillb
Have you used the `fail2ban-regex` command so you can iteratively test as you make changes? Also `[` have meaning in regex's you will probably need to escape them with a leading `\`
3
Reply
cn flag
hardillb
That should be with a leading \
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.