How do I format this regex so it will work in fail2ban?

Posted by chapkom on Server Fault See other posts from Server Fault or by chapkom
Published on 2012-04-05T17:26:29Z Indexed on 2012/04/05 17:32 UTC
Read the original article Hit count: 293

Filed under:
|
|
|
|

I've just installed fail2ban on my CentOS server in response to an SSH brute force attempt. The default regular expressions in fail2ban's sshd.conf file do not match any entries in audit.log, which is where SSH seems to be logging all connection attempts, so I am trying to add an expression that will match.

The string I am trying to match is as follows:

type=USER_LOGIN msg=audit(1333630430.185:503332): user pid=30230 uid=0 auid=500
 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="root": exe="/usr
/sbin/sshd" (hostname=?, addr=<HOST IP>, terminal=sshd res=failed)'

The regular expression I am attempting to use is:

^.*addr=<HOST>, terminal=sshd res=failed.*$

I've used regextester.com and regexr to try to build the regex. The testers give me a match for this regex:^.*addr=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}, terminal=sshd res=failed.*$ but fail2ban-regex complains if I don't use the <HOST> tag in the regex. However, using ^.*addr=<HOST>, terminal=sshd res=failed.*$ gives me 0 matches.

At this point, I am totally stuck and I would greatly appreciate any assistance. What am I doing wrong in the regex I am trying to use?

© Server Fault or respective owner

Related posts about linux

Related posts about security