Ah you're right... and so was he.

Thank you

Can this pattern be added to future versions?


On Fri, Feb 24, 2012 at 9:50 AM, Tom Hendrikx <tom@whyscream.net> wrote:
On 24/02/12 09:38, Martin Lukeš wrote:
> Hi all
>
> Recently I found that fail2ban "fails to ban" the following entry (and
> similar, of course) in /var/log/auth.log
> Feb 24 04:36:26 info sshd[3653]: reverse mapping checking getaddrinfo
> for bj141-209-177.bjtelecom.net <http://bj141-209-177.bjtelecom.net>
> [219.141.209.177] failed - POSSIBLE BREAK-IN ATTEMPT!
>
> I suppose it should be caught by this regex, but it is not!
> ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
>
> I found this Debian bug report [1] when this guy in message 17 suggest
> the following regex, which unfortunately doesn't work.
> ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\]
> failed - POSSIBLE BREAK-IN ATTEMPT!\s*$
>
> I think he gets close, but not close enough since when I test it by running
> fail2ban-regex 'Feb 24 04:36:26 info sshd[3653]: reverse mapping
> checking getaddrinfo for bj141-209-177.bjtelecom.net
> <http://bj141-209-177.bjtelecom.net> [219.141.209.177] failed - POSSIBLE
> BREAK-IN ATTEMPT!' '^%(__prefix_line)sreverse mapping checking
> getaddrinfo for .* \[<HOST>\] failed - POSSIBLE BREAK-IN ATTEMPT!\s*$'
>

My bet would be that the %(__prefix_line)s expansion is not expanded
because the definition of __prefix_line is in the ssh* filter file,
which is not used when you test the filter like this.

What happens if you add the regex to the filter.d/sshd.conf file, and
then test it?

--
Regards,
       Tom

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
S pozdravem
Martin Lukeš

Regards
Martin Lukeš