Hi all

Recently I found that fail2ban "fails to ban" the following entry (and similar, of course) in /var/log/auth.log
Feb 24 04:36:26 info sshd[3653]: reverse mapping checking getaddrinfo for bj141-209-177.bjtelecom.net [219.141.209.177] failed - POSSIBLE BREAK-IN ATTEMPT!

I suppose it should be caught by this regex, but it is not!
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$

I found this Debian bug report [1] when this guy in message 17 suggest the following regex, which unfortunately doesn't work.
^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] failed - POSSIBLE BREAK-IN ATTEMPT!\s*$

I think he gets close, but not close enough since when I test it by running
fail2ban-regex 'Feb 24 04:36:26 info sshd[3653]: reverse mapping checking getaddrinfo for bj141-209-177.bjtelecom.net [219.141.209.177] failed - POSSIBLE BREAK-IN ATTEMPT!' '^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] failed - POSSIBLE BREAK-IN ATTEMPT!\s*$'

I still get "Sorry, no match".


I'm not good with regular expressions so I'd like to ask you people. Does anyone know what the proper regex would be?
If it does matter I use fail2ban v 0.8.4-1ubuntu1.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=588431

--
Regards
Martin LukeŇ°