Fail2ban: ignoreregex not working

Created on 21 Dec 2012 · 3Comments · Source: fail2ban/fail2ban

The ignoreregex option in config files do not work (v0.8.4).
When testing with fail2ban-regex not even an "Unable to compile regular expression" error is thrown.

fail2ban-regex error.log /etc/fail2ban/filter.d/suhosin.conf

No matches at all:

|- Regular expressions:
|
`- Number of matches:

Example:
suhosin.conf

[Definition]
failregex = suhosin\[\d*\].*\(attacker\s'<HOST>'.*
ignoreregex = suhosin\[\d*\].*(memory_limit).*\(attacker\s'<HOST>'.*

error.log

Dec 17 15:51:13 server suhosin[27622]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable      'action' (attacker '67.210.100.166', file '/bla.php')
Dec 17 15:51:13 server suhosin[27624]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'board' (attacker '67.210.100.166', file '/bla.php')
Dec 17 15:51:13 server suhosin[27624]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'topic' (attacker '67.210.100.166', file '/bla.php')
Dec 20 18:58:21 server suhosin[4088]: ALERT - script tried to increase memory_limit to 120000000 bytes which is above the allowed value (attacker '123.123.123.123', file '/bla.php', line 10)
Dec 20 18:58:32 server suhosin[4051]: ALERT - script tried to increase memory_limit to 120000000 bytes which is above the allowed value (attacker '123.123.123.123', file '/bla.php', line 10)

I'm trying to match all suhosin attacks and subtract all attack trying to increase the memory_limit.

Source

jakoch

Most helpful comment

:+1:
Ah, you are right. Thanks for pointing me to the correct third parameter.
I should have read the man pages before posting this.
Anyway this works:

fail2ban-regex error.log /etc/fail2ban/filter.d/suhosin.conf /etc/fail2ban/filter.d/suhosin.conf

I'm closing the issue. Merry Christmas. Bye.

jakoch on 21 Dec 2012

👍3

All 3 comments

be descriptive: have you specified ignoreregex at all?

$> /usr/bin/fail2ban-regex | head
Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]

so if I do add ignoregex to e.g. sshd.conf (although need to avoid
anchoring on the front since matching for ignoreregex is applied to full
line, without stripping time/date) -- it is all good

$> ./fail2ban-regex testcases/files/logs/sshd config/filter.d/sshd.conf config/filter.d/sshd.conf  2>/dev/null | grep -A2 Ignoreregex 
Ignoreregex: 2 total
|- #) [# of hits] regular expression
|  1) [2] \s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$

$> grep ignoreregex config/filter.d/sshd.conf
# Option:  ignoreregex
ignoreregex = %(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$

On Fri, 21 Dec 2012, Jens-André Koch wrote:

The ignoreregex option in config files do not work (v0.8.4).
When testing with fail2ban-regex not even an "Unable to compile regular
expression" error is thrown.
No matches at all:

Ignoreregex
|- Regular expressions:

`- Number of matches:

I'm i missing a general configuration option or is this an bug?

Yaroslav O. Halchenko
Postdoctoral Fellow, Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

yarikoptic on 21 Dec 2012

👍3

:+1:
Ah, you are right. Thanks for pointing me to the correct third parameter.
I should have read the man pages before posting this.
Anyway this works:

fail2ban-regex error.log /etc/fail2ban/filter.d/suhosin.conf /etc/fail2ban/filter.d/suhosin.conf

I'm closing the issue. Merry Christmas. Bye.

jakoch on 21 Dec 2012

👍3

Merry Christmas! ;)

On Fri, 21 Dec 2012, Jens-André Koch wrote:

[1]:+1:
Ah, you are right. Thanks for pointing me to the correct third parameter.
I should have read the man pages before posting this.
Anyway this works:
fail2ban-regex error.log /etc/fail2ban/filter.d/suhosin.conf
/etc/fail2ban/filter.d/suhosin.conf

I'm closing the issue. Merry Christmas. Bye.

—
Reply to this email directly or [2]view it on GitHub.

References

Visible links

https://github.com/fail2ban/fail2ban/issues/100#issuecomment-11623202