Matching log entry with custon Fail2ban regex

RDK

1/15/24, 8:22 AM

I'm running Fail2ban on a Raspberry Pi 3 with Buster. Fail2ban version v0.10.2. One applicaton on it is running a simple python HTTP server script.

I'm trying to match this kind of record from the log file:

Dec 4 07:50:00 Pi-New HTTP_Server[585]: 123.456.789.123 - - [04/Dec/2022 07:50:00] code 400, message Bad request version ('\xc0\x13\xc0')

I have tried numerous regex lines. These are the latest lines, all without success

1. '^.*\]: <HOST> - - .* 400, $'
2. "^.*\]: <HOST> - - \[\+0000\].* 400, $"

The latter when I read a posting that fail2ban deletes out the date section before passing to the regex line

The output from fail2ban-regex is always like this:

Running tests

Use failregex line : ^.]: - - [+0000]. 400, $ Use
single line : Dec 4 07:50:00 Pi-New HTTP_Server[585]:...

Results

Failregex: 0 total

Ignoreregex: 0 total

Date template hits: |- [# of hits] date format | [1] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:.Microseconds)?(?: ExYear)? `-

Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.03 sec]

|- Missed line(s): | Dec 4 07:50:00 Pi-New HTTP_Server[585]: 123.456.789.123 - - [04/Dec/2022 07:50:00] code 400, message Bad request version ('\xc0\x13\xc0')

which seems to indicate that it found the date but after that did not find any matches. What am I doing wrong?...RDK

1 + 0

linux

fail2ban

Score:0

Server

Esa Jokinen

1/15/24, 9:40 AM

In regular expressions, $ asserts position at the end of a line, but the log line does not end with 400, .

The following regular expression matches your log line if you are not interested in the more specific reason for the HTTP error 400. You might want to make it more restrictive to avoid any false positives, but this is in a format you could play with, e.g., in https://regex101.com/.

^.*\[[0-9]+\]: ([0-9.]+) - - \[.+\] code 400,.*$

When ready,

the matching group ([0-9.]+) is a quick and dirty match for IP addresses: it should be replaced with the <host> to detect it.
the .*\[[0-9]+\]: can probably be replaced with the %(__prefix_line)s.

The final fail2ban filter would look something like this:

^%(__prefix_line)s <host> - - \[.+\] code 400,.*$

Also take a look at the Developing Filters article in the Fail2Ban documentation.

+ 2

RDK

1/15/24, 1:20 PM

Many thanks, you have pointed me along the right path. After several Fail2ban_regex iterations I finally got to something which I wanted. This is what I will try as a filter "^.*\]: (<HOST>) - - \[.+\]( code (400|404|501|505), message).*$"

RDK

1/15/24, 1:23 PM

I may also refine the "message" to be "message (Fail|Bad|Unsupported|Invalid)"

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Matching log entry with custon Fail2ban regex

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.