linux - Fail2ban named-refused failregex syntax -


when running fail2ban-regex

fail2ban-regex /var/log/named/security1.log /etc/fail2ban/filter.d/named-refused.conf

i following output

running tests =============  use regex file : /etc/fail2ban/filter.d/named-refused.conf use log file   : /var/log/named/security1.log  matched time template day-month-year hour:minute:second[.millisecond] matched time template day-month-year hour:minute:second[.millisecond] matched time template day-month-year hour:minute:second[.millisecond] matched time template day-month-year hour:minute:second[.millisecond] matched time template day-month-year hour:minute:second[.millisecond]   results =======  failregex: 0 total  ignoreregex: 0 total  summary =======  sorry, no match

here output of security1.log file

08-feb-2016 11:38:15.324 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied 08-feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/any/in' denied

the failregex following

failregex = %(__line_prefix)sclient <host>#\s+: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$

i think there difference between output of security1.log , failregex syntax of named-refused.conf file makes not find anything.

thanks in advance,

guy

i ran log through debian 8.2 fail2ban in same way described , got.

results =======  failregex: 14 total |-  #) [# of hits] regular expression |   1) [14] ^(?:\s\s+ (?:(?:\[\d+\])?:\s+\(?named(?:\(\s+\))?\)?:?|\(?named(?:\(\s+\))?\)?:?(?:\[\d+\])?:)\s+)?(\.\d+)?( error:)?\s*client <host>#\s+( \([\s.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ `-  ignoreregex: 0 total  date template hits: |- [# of hits] date format |  [14] day-month-year hour:minute:second[.millisecond] `-  lines: 14 lines, 0 ignored, 14 matched, 0 missed

so if interested, /etc/fail2ban/filter.d/named-refused.conf file in distro is:

[definition]                                                                                                                                                                      # daemon name                                                                                                                                                                    _daemon=named                                                                                                                                                                     # shortcuts easier comprehension of failregex                                                                                                                             __pid_re=(?:\[\d+\])                                                                                                                                                             __daemon_re=\(?%(_daemon)s(?:\(\s+\))?\)?:?                                                                                                                                      __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)                                                                                              #       hostname       daemon_id         spaces                                                                                                                                  # can optional (for instance if match named native log files)                                                                                                         __line_prefix=(?:\s\s+ %(__daemon_combs_re)s\s+)?                                                                                                                                 failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <host>#\s+( \([\s.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$                                        ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <host>#\s+( \([\s.]+\))?: zone transfer '\s+/axfr/\w+' denied\s*$                                                                  ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <host>#\s+( \([\s.]+\))?: bad zone transfer request: '\s+/in': non-authoritative zone \(notauth\)\s*$                   # dev notes:                                                                                                                                                                     # trying generalize                                                                                                                                                       #          structure general capture general patterns in log                                                                                                         #          lines cover different configurations/distributions                                                                                                                 #..........                                                                                                                                                                      # (\.\d+)? ugly catch of microseconds not captured in date detector                                                                                            #                                                                                                                                                                                # author: yaroslav halchenko

note authors comment "really ugly catch of microseconds not captured in date detector" try (after sanity check against own version of course) , see if works. way, distro ?


Comments

Post a Comment

Popular posts from this blog

javascript - jQuery: Add class depending on URL in the best way -

i have html progress meter: <div class="col-md-3" style="margin-left: -20px;"> <div class="progress-pos active" id="progess-1"> <div class="progress-pos-inner"> login </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-2"> <div class="progress-pos-inner"> scan items </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-3"> <div class="progress-pos-inner"> confirm address </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-4"> <div class="progress-pos-in
Read more

caching - How to check if a url path exists in the service worker cache -

i need check if particular url path exists in service worker cache. example, suppose url is: /myserviceworker/service?a=110&b=70 this url exists in cache, there many of them different values of , b. now, suppose want refresh of these urls, how can that? i want know how access key values service worker cache. if know key, plan follows: var url = new url(key); if(url.pathname === "\/myserviceworker/service") refetch key but not sure how cache key , in format is. mean, string or url? cache api has match() method returns promise resolving in response object if match or undefined if no match exists. second parameter object can specify ignoresearch not take account url parameters. the ignoresearch option supported firefox ( chrome status here ). in other hand, retrieve cache entries, can use keys() method.
Read more

Redirect to a HTTPS version using .htaccess -

i need modify .htaccess file redirect urls https version without "www". http://example.com --> https://example.com http://www.example.com --> https://example.com https://www.example.com --> https://example.com this how .htaccess file looks like: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^(.*)$ redirect.php?id=$1&page=$2 [qsa,l] what modifications need make .htaccess in order forward https without "www"? it depends on doing current code. looks file called redirect trying display php page seo friendly url. think might confusing people. anyway, need , force https without www, need 1 more rule above. also second rule needs two capture groups in rewriterule test string because wanting 2 different values using $1 , $2 references. rewriteengine on #rediect www non www and/or http https --- combinations. rewritecond %{http_host} !^example\.com [nc,or] rewritecond %{https} !^
Read more