How do I format this regex so it will work in fail2ban?
Posted
by
chapkom
on Server Fault
See other posts from Server Fault
or by chapkom
Published on 2012-04-05T17:26:29Z
Indexed on
2012/04/05
17:32 UTC
Read the original article
Hit count: 296
I've just installed fail2ban on my CentOS server in response to an SSH brute force attempt. The default regular expressions in fail2ban's sshd.conf file do not match any entries in audit.log, which is where SSH seems to be logging all connection attempts, so I am trying to add an expression that will match.
The string I am trying to match is as follows:
type=USER_LOGIN msg=audit(1333630430.185:503332): user pid=30230 uid=0 auid=500
subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="root": exe="/usr
/sbin/sshd" (hostname=?, addr=<HOST IP>, terminal=sshd res=failed)'
The regular expression I am attempting to use is:
^.*addr=<HOST>, terminal=sshd res=failed.*$
I've used regextester.com and regexr to try to build the regex. The testers give me a match for this regex:^.*addr=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}, terminal=sshd res=failed.*$
but fail2ban-regex complains if I don't use the <HOST>
tag in the regex. However, using ^.*addr=<HOST>, terminal=sshd res=failed.*$
gives me 0 matches.
At this point, I am totally stuck and I would greatly appreciate any assistance. What am I doing wrong in the regex I am trying to use?
© Server Fault or respective owner