How do I format this regex so it will work in fail2ban?

security regex linux fail2ban centos5

Solution 1:

Apparently this is a case of RTFM. After digging around for a while, I found a page on the fail2ban website that states that it makes two regex matches per line, one for the timestamp and one for the rest of the line following the timestamp. The timestamp in the audit.log is in Epoch format, and was apparently failing the first regex match. Using fail2ban-regex to compare /var/log/secure to my fail2ban sshd.conf file resulted in the desired behavior.

The correct solution was to point the appropriate section of my jail.conf at /var/log/secure.

For people who still want to make their own regular expressions, this section has a lot of good information, including this little tidbit that eventually helped me solve this:

In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex. If the failregex is anchored with a leading ^, then the anchor refers to the start of the remainder of the line, after the timestamp and intervening whitespace.

I hope that my RTFM moment will help someone down the line.

Related

Nginx clear X-Forwarded-For before setting
apt-get install build-essentials fails on Ubuntu 11.10 on aws ami-baba68d3
Virtualization platform for older hardware (non Intel-VT/AMD-V)
MySQL damaged system tables
Puppet - exclude file from management for managed directory
1 EC2 instance per website - manage multiple websites on Amazon cloud using EC2
How do I rename the server that offline folders are referencing?
Why do some sites have a TXT record with only a base64 hash code? [closed]
Nginx config - serving index.html not working
Azure Virtual Machines - what fault tolerance do they provide?
vSphere 4 - how can I cancel a file copy in progress?
Setting up SSL with 389 Directory Server for LDAP authentication