Une commande sympa pour tester facilement des filtres fail2ban
fail2ban-regex
Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX] Fail2Ban v0.8.3-SVN reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. This tools can test regular expressions for "fail2ban". Options: -h, --help display this help message -V, --version print the version Log: string a string representing a log line filename path to a log file (/var/log/auth.log) Regex: string a string representing a 'failregex' filename path to a filter file (filter.d/sshd.conf) IgnoreRegex: string a string representing an 'ignoreregex' filename path to a filter file (filter.d/sshd.conf)
un petit test avec le cas de robots à la recherche de failles à exploiter sur votre serveur web.
la commande à exécuter sera:
fail2ban-regex /var/log/apache2/default-error.log.1 /etc/fail2ban/filter.d/apache-nodnsuse.conf
Et si tout se passe bien elle nous renverra:
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/apache-nodnsuse.conf
Use log file : /var/log/apache2/default-error.log
Results
=======
Failregex
|- Regular expressions:
| [1] [[]client []] File does not exist: /var/empty/.*
|
`- Number of matches:
[1] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Sorry, no match
Look at the above section 'Running tests' which could contain important
information.
xxxxx@xxxxx:~$ fail2ban-regex /var/log/apache2/default-error.log.1 /etc/fail2ban/filter.d/apache-nodnsuse.conf
/usr/share/fail2ban/server/filter.py:431: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/apache-nodnsuse.conf
Use log file : /var/log/apache2/default-error.log.1
Results
=======
Failregex
|- Regular expressions:
| [1] [[]client []] File does not exist: /var/empty/.*
|
`- Number of matches:
[1] 20 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
72.55.156.243 (Sun Jun 06 14:18:32 2010)
72.55.156.243 (Sun Jun 06 14:18:32 2010)
72.55.156.243 (Sun Jun 06 14:18:33 2010)
72.55.156.243 (Sun Jun 06 14:18:33 2010)
72.55.156.243 (Sun Jun 06 14:32:00 2010)
72.55.156.243 (Sun Jun 06 14:32:00 2010)
72.55.156.243 (Sun Jun 06 14:32:01 2010)
72.55.156.243 (Sun Jun 06 14:32:01 2010)
72.55.156.243 (Sun Jun 06 14:32:01 2010)
72.55.156.243 (Sun Jun 06 14:32:01 2010)
72.55.156.243 (Sun Jun 06 15:19:52 2010)
72.55.156.243 (Sun Jun 06 15:19:52 2010)
72.55.156.243 (Sun Jun 06 15:19:52 2010)
72.55.156.243 (Sun Jun 06 15:19:53 2010)
72.55.156.243 (Sun Jun 06 15:19:53 2010)
72.55.156.243 (Sun Jun 06 15:19:53 2010)
88.80.10.1 (Sun Jun 06 22:02:12 2010)
202.67.197.61 (Wed Jun 09 08:08:56 2010)
61.153.150.170 (Fri Jun 11 13:39:20 2010)
61.153.150.170 (Fri Jun 11 17:15:17 2010)
Date template hits:
41 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s):
Success, the total number of match is 20
However, look at the above section 'Running tests' which could contain important
information.
Hi dear friend i use karmic koala and fail 2 ban for apache, but do not work i have this answer in shell when i test failregex
root@amed2:~# fail2ban-regex /var/log/apache2/default-error.log.1 /etc/fail2ban/filter.d/apache-nodnsuse.conf
/usr/share/fail2ban/server/filter.py:431: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5
Running tests
=============
Use regex line : /etc/fail2ban/filter.d/apache-nodnsuse.conf
Use single line: /var/log/apache2/default-error.log.1
No ‘host’ group in ‘/etc/fail2ban/filter.d/apache-nodnsuse.conf’
Cannot remove regular expression. Index 0 is not valid
Results
=======
Failregex
|- Regular expressions:
| [1] /etc/fail2ban/filter.d/apache-nodnsuse.conf
|
`- Number of matches:
[1] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Sorry, no match
Look at the above section ‘Running tests’ which could contain important
information.
root@amed2:~#
how can i resolve this thank in advantage to all, best regards dema2 italy
Hi Dema2,
In my sample in use this regex file /etc/fail2ban/filter.d/apache-nodnsuse.conf
It is a custom filter and it is not provided by the default installation (I explain how i made apache-nodnsuse faill2ban here)
So I guess you are trying to test a regex file that don’t exist.
If you want to test regex directly from a stand installation you should try this instead
fail2ban-regex /var/log/apache2/default-error.log.1 /etc/fail2ban/filter.d/apache-auth.conf
apache-auth.conf is a standard filter provide a the default fail2ban install.
[Wed Jun 26 13:43:16 2013] [error] [client 188.194.180.249] (13)Permission denied: access to /docs/me..(etc)…
I had a problem to ban « Permission denied » in apache/error.log with the following line
failregex = [[]client []] (Permission denied)
since there was (13) that disqualified the regex.
Using
failregex = [[]client []] (\(13\)Permission denied)
solved the pb.