Spinsq February 2016

Fail2ban named-refused failregex syntax

When running the fail2ban-regex

fail2ban-regex /var/log/named/security1.log /etc/fail2ban/filter.d/named-refused.conf

I get following output

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/named-refused.conf
Use log file   : /var/log/named/security1.log

Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Here is some output of the security1.log file

08-Feb-2016 11:38:15.324 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#444        

Answers


Mbo42 February 2016

I ran your log through my Debian 8.2 fail2ban in the same way you described and got.

Results
=======

Failregex: 14 total
|-  #) [# of hits] regular expression
|   1) [14] ^(?:\s\S+ (?:(?:\[\d+\])?:\s+\(?named(?:\(\S+\))?\)?:?|\(?named(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [14] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
`-

Lines: 14 lines, 0 ignored, 14 matched, 0 missed

So if your interested, the /etc/fail2ban/filter.d/named-refused.conf file in my distro is:

[Definition]                                                                                                                                                                    

# Daemon name                                                                                                                                                                   
_daemon=named                                                                                                                                                                   

# Shortcuts for easier comprehension of the failregex                                                                                                                           

__pid_re=(?:\[\d+\])                                                                                                                                                            
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?                                                                                                                                     
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)                                                                                            

#       hostname       daemon_id   

Post Status

Asked in February 2016
Viewed 1,487 times
Voted 10
Answered 1 times

Search




Leave an answer