I'm using fail2ban. For some reason Fail2Ban refuse to compile my regex. Here is my logs that I need to match:
root@server1:/etc/fail2ban/filter.d# tail /var/log/apache2/error.log
[Sun Apr 20 10:40:05 2014] [error] [client 75.144.181.151] user root: authentication failure for "/phpmyadmin/": Password Mismatch
[Sun Apr 20 10:40:16 2014] [error] [client 75.144.181.151] user root: authentication failure for "/phpmyadmin/": Password Mismatch
[Sun Apr 20 10:40:38 2014] [error] [client 75.144.181.151] user haker not found: /phpmyadmin/
[Sun Apr 20 10:40:44 2014] [error] [client 75.144.181.151] user pentest not found: /phpmyadmin/
and here is my fail2ban filter.d file:
root@server1:/etc/fail2ban/filter.d# cat /etc/fail2ban/filter.d/phpmyadmin.conf
[Definition]
failregex = [client <HOST>;] user .*; not found: \/phpmyadmin\/|[client <HOST>;] user root: authentication failure for "\/phpmyadmin\/":
ignoreregex =
here is my regex line from the file above:
[client <HOST>;] user .*; not found: \/phpmyadmin\/|[client <HOST>;] user root: authentication failure for "\/phpmyadmin\/":
Unfortunately fail2ban log file giving me error about regex: Unable to compile regular expression..
root@server1:/etc/fail2ban# tail /var/log/fail2ban.log
2014-04-20 10:47:06,788 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2014-04-20 10:47:06,789 fail2ban.filter : INFO Set maxRetry = 3
2014-04-20 10:47:06,789 fail2ban.filter : INFO Set findtime = 600
2014-04-20 10:47:06,790 fail2ban.actions: INFO Set banTime = 600
2014-04-20 10:47:06,790 fail2ban.filter : ERROR Unable to compile regular expression '[client (?:::f{4,6}:)?(?P<host>[\w\-.^_]+);] user .*; not found: \/phpmyadmin\/|[client (?:::f{4,6}:)?(?P<host>[\w\-.^_]+);] user root: authentication failure for "\/phpmyadmin\/":'
2014-04-20 10:47:06,794 fail2ban.jail : INFO Jail 'ssh' started
2014-04-20 10:47:06,799 fail2ban.jail : INFO Jail 'pureftpd' started
2014-04-20 10:47:06,805 fail2ban.jail : INFO Jail 'phpmyadmin' started
My regex http://regex101.com/r/kU7tX3 . What is wrong with this? Any help is appreciated. Thank you.
I would have asked a question in comment but i cannot add a comment:
So trying my best to understand the requirement and giving an answer.
Requirement: I think you are looking to filter all lines containing "authentication failure for "/phpmyadmin/""
You can do so by changing your regular expression to following:
failregex = .*authentication failure for "\/phpmyadmin\/"
You may have to escape "
Please add comments if this wasn't the correct understanding.....
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.