#46 <HOST> regex fails if hostname is in brackets "()"

open
nobody
None
5
2009-07-16
2009-07-16
Marco Gabriel
No

If fail2ban parses a log (e.g. pure-ftpd) where the hostname of the attacker is enclosed in brackets like "(hostname.domain.tld)", it fails. In the fail2ban.log, you can see the following error:

2009-07-16 07:51:15,598 fail2ban.filter : WARNING Unable to find a corresponding IP address for ns10.hostinglmi.net)

It seems, that the closing bracket is kept as the hostname, which indeed fails.
I checked this on ubuntu 8.04 with a pure-ftpd filter which was already installed. I found occurrences in the net where this error also happens on apache logs.

I fixed it in the filter.py by replacing the ")" with "". But I guess it's possible to fix it with a change of the <HOST> substitution regex.

see also: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#pure-ftpd_and_apache_ban_fails_with_DNS_error

Discussion