From: Kelly B. <ke...@hu...> - 2012-02-08 23:18:21
|
I have a remote syslog set-up, but am finding that fail2ban is not matching on the common.conf regex for hosts with hyphens in the hostname. It works fine for any hosts that don't have a hyphen in the host name. E.g.: hostname (works and matches and bans) hostname-25 (does not pass regex for the common syslog regex matching in common.conf). Has anybody else hit this snag and have a patch to share? Thanks, Kelly |
From: Yaroslav H. <li...@on...> - 2012-02-09 01:46:46
|
hm... strange since \S should work just fine for those: In [8]: [re.match("(\S+).*", x+" trailer").groups() for x in ["buga", "bu-ga", "bu-25"]] Out[8]: [('buga',), ('bu-ga',), ('bu-25',)] as you see -- all of them match with \S+ specified in commons.conf just fine... or do you have something else for __hostname = \S+ ? On Wed, 08 Feb 2012, Kelly Black wrote: > I have a remote syslog set-up, but am finding that fail2ban is not > matching on the common.conf regex for hosts with hyphens in the hostname. > It works fine for any hosts that don't have a hyphen in the host name. > E.g.: hostname (works and matches and bans) > hostname-25 (does not pass regex for the common syslog regex > matching in common.conf). > Has anybody else hit this snag and have a patch to share? > Thanks, > Kelly > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Kelly B. <ke...@hu...> - 2012-02-09 03:37:50
|
Yaroslav, Thanks for the pointer. I agree that the \S should work. After testing again, I tried putting just the two instances in a file (the working vs the non-working and tried it using: fail2ban-regex ./tinyauthlog.log /etc/fail2ban/filter.d/sshd.conf And the rule matches, so, I would imagine my fault lies somewhere else. The funny thing is that I can always reproduce the error by using ssh to the host with the hyphenated name and never hit the limit, but I can only ssh and fail to auth to the host with the non-hyphenated name up to the maxretry number of times. I will post back when I figure it out. Thanks, Kelly On Wed, 8 Feb 2012, Yaroslav Halchenko wrote: > hm... strange since \S should work just fine for those: > > In [8]: [re.match("(\S+).*", x+" trailer").groups() for x in ["buga", "bu-ga", "bu-25"]] > Out[8]: [('buga',), ('bu-ga',), ('bu-25',)] > > as you see -- all of them match with \S+ specified in commons.conf just > fine... or do you have something else for > > __hostname = \S+ > > ? |
From: Yaroslav H. <li...@on...> - 2012-02-11 02:19:18
|
so -- that was the ghost of trailing white-spaces ;-) (once again proving the importance of providing sample logfiles as attachments) I have pushed "the fix": https://github.com/fail2ban/fail2ban/commit/25f1e8d98c5a7af353b6d85d91a4b968a8425335 should be in the next release so -- out of curiosity -- all those lines you sent me were generated on by the same logger (which one btw?) on the server box having obtained logs from other boxes via network? or have you composed them manually from sample log files? On Wed, 08 Feb 2012, Kelly Black wrote: > Yaroslav, > Thanks for the pointer. I agree that the \S should work. After testing > again, I tried putting just the two instances in a file (the working vs > the non-working and tried it using: > fail2ban-regex ./tinyauthlog.log /etc/fail2ban/filter.d/sshd.conf > And the rule matches, so, I would imagine my fault lies somewhere else. > The funny thing is that I can always reproduce the error by using ssh to > the host with the hyphenated name and never hit the limit, but I can only > ssh and fail to auth to the host with the non-hyphenated name up to the > maxretry number of times. I will post back when I figure it out. > Thanks, > Kelly -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Kelly B. <ke...@hu...> - 2012-02-11 22:41:22
|
Yaroslav, The entries were gained from using grep on the main log file from the central syslog server. That server collects syslog entries from many different Linux distros installed (Centos, Debian, Ubuntu, Slackware). I wonder if there might be some differences in the different releases of syslog that might have changed the handling of line endings and or white space. Thanks for beating me to finding out the issue. I owe you a beer if you are in the Minneapolis Minnesota area some time (if you are of the beer drinking type). Thanks again! Kelly On 10.02.2012 20:19, Yaroslav Halchenko wrote: > so -- that was the ghost of trailing white-spaces ;-) (once again > proving the importance of providing sample logfiles as > attachments) > > I have pushed "the fix": > https://github.com/fail2ban/fail2ban/commit/25f1e8d98c5a7af353b6d85d91a4b968a8425335 [1]should be in the next release > > so -- out of curiosity -- all those lines you sent me were generated on > by the same logger (which one btw?) on the server box having > obtained logs from other boxes via network? or have you composed them > manually from sample log files? > > On Wed, 08 Feb 2012, Kelly Black wrote: > >> Yaroslav, > >> Thanks for the pointer. I agree that the S should work. After testing again, I tried putting just the two instances in a file (the working vs the non-working and tried it using: -- Hutman, Inc. 612-843-1400 Links: ------ [1] https://github.com/fail2ban/fail2ban/commit/25f1e8d98c5a7af353b6d85d91a4b968a8425335 |
From: Yaroslav H. <li...@on...> - 2012-02-12 00:49:21
|
> different Linux distros installed (Centos, Debian, Ubuntu, Slackware). I > wonder if there might be some differences in the different releases of > syslog that might have changed the handling of line endings and or white > space. yeap -- that might be interesting to know just out of curiosity if you look at those few who do have trailing spaces.... we should find a spot in wiki on that > Thanks for beating me to finding out the issue. I owe you a beer if you > are in the Minneapolis Minnesota area some time (if you are of the beer > drinking type). oh yeah -- I am of that type ;) thanks for the invitation -- I will keep it in mind ;) -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Kelly B. <ke...@hu...> - 2012-02-12 03:38:29
|
It looks like the odd man out is an older Slackware 11.0 setup. The rest are Ubuntu and Debian (the ones without the extra space). Kelly On 11.02.2012 18:49, Yaroslav Halchenko wrote: >> different Linux distros installed (Centos, Debian, Ubuntu, Slackware). I wonder if there might be some differences in the different releases of syslog that might have changed the handling of line endings and or white space. > > yeap -- that might be interesting to know just out of curiosity if > you look at those few who do have trailing spaces.... we should > find a spot in wiki on that |