Menu
▾
▴
Re: [Fail2ban-users] regex optimization
|
From: Cyril J. <cyr...@fa...> - 2007-09-18 20:41:26
|
Hi all,
> Whether its executed twice or not is a good question, I'll leave that up
> to the developer to respond to, if the ignoreregex is checked if its not
> null then yeah I guess it would look it up twice; however, I also use
> postfix and since I have implemented that I have not seen iptables trying
> to block an unknown host anymore :)
>
You can have a look at findFailure in server/filter.py. Each line in
failregex or ignoreregex correspond to a regular expression.
Let's take an example:
failregex = Authentication failure for .* from <HOST>$
Failed [-/\w]+ for .* from <HOST>$
ROOT LOGIN REFUSED .* FROM <HOST>$
[iI](?:llegal|nvalid) user .* from <HOST>$
User .* from <HOST> not allowed because not listed in
AllowUsers$
ignoreregex = unknown\[unknown\]
For each log line, there will be a maximum of 6 evaluations of regular
expressions and a minimum of 2.
I do not know if the evaluation of 6 simple regular expressions is
faster than 1 evaluation of a more complex one!?
Regards,
Cyril Jaquier
|