Wish: fail2ban-regex with --print-all-matched-and-action #2036

ghost · 2018-01-31T06:02:20Z

This may be a dumb requirement (not yet know if there is alternative way to fulfill). But if fail2ban-regex can supply a function to output the possible action to take, that can be quite helpful to understand the final outcome of complicate Python string interpolation of fail2ban tags...

sebres · 2018-01-31T09:02:23Z

Is it something like:

fail2ban-regex --out-action 'my-action[prm1="val1",...]' $log $filter

Or:

fail2ban-regex --out-tags $log $filter

Could you provide an example, just for better understanding, what do you mean with supply a function. E. g. something like the command-line you wish.

ghost · 2018-01-31T10:42:29Z

yes... your suggestion is quite insightful. For me, simple tags which is predefined in action.d could be okay. (specify tag or composite action on shell command line could be quite uncertain since it is bash-ish syntax. we need POSIX-like stuffs. e.g, "xyz", $'\n', blah blah)

Correct me if I am wrong here!

fail2ban-regex --out-action $log $filter $action_conf_file

sebres · 2018-01-31T11:11:13Z

Although it would be relative easy to implement for some script-actions (but no way for pythonic actions).
Just some tags are depended on the init-arguments specified in jail.conf resp. distribution-related config-files, etc.
The problem thereby - fail2ban-regex should consider all this (exactly the same manner as fail2ban-server, but it is not the server).

we need POSIX-like stuffs

The problem here - you'll then see the pre-substituted scripts only (with interpolated tags), but they are not executed in shell (because otherwise some complex scripts may cause ban or send mail, etc).
Thus the potential wrong shell syntax (like bashism's, invalid command syntax, etc) will be still not recognized.

fail2ban-regex --out-action $log $filter $action_conf_file

Exactly this syntax will be impossible, because it conflicts with 3rd optional argument, which is currently ignore-pattern (it could work as in my example above).

ghost · 2018-01-31T11:26:18Z

I see... those run-time dependency (or Python-script dependency) tag cannot be decided/finalized by fail2ban-regex moment without truly code execution. In that case, we make requirement simpler, as your suggestion, we specify action (or tag) via shell command parameters, and/or dump tags mentioned in filter config file, which is supplied via shell command as well.

Again, correct me if I am thinking wrong.

sebres · 2020-01-09T16:23:01Z

Latest version (since d1b7e2b) partially implementing this RFE, so fail2ban-regex is able to dump the tags matched from log/journal.

Examples:

$ fail2ban-regex -r -o row './fail2ban/tests/files/testcase01.log' sshd
[u'failed.dns.ch',      1577789999.0,   {'dns': u'failed.dns.ch', 'users': set([u'kevin']), 'ip6': None, 'user': u'kevin', 'ip4': None, 'mlfid': u' [sshd] '}],
...
['87.142.124.10',       1577789999.0,   {'dns': None, 'users': set([u'kevin']), 'ip6': None, 'user': u'kevin', 'ip4': u'87.142.124.10', 'mlfid': u' [sshd] '}],

$ fail2ban-regex -r -o id './fail2ban/tests/files/testcase01.log' sshd | uniq -c
      3 failed.dns.ch
      3 193.168.0.128
      4 87.142.124.10

$ fail2ban-regex -r -o user './fail2ban/tests/files/testcase01.log' sshd | uniq
kevin

This facilities will be released with 0.10.5 (and 0.11).

sebres · 2022-02-14T16:10:11Z

#2909 (comment) illustrates some PoC extending fail2ban-regex with a command option.

sebres added the enhancement label Jan 31, 2018

sebres mentioned this issue Mar 19, 2018

How does the application read error logs? #2086

Closed

3 tasks

sebres added this to the 1.0 milestone Jan 10, 2020

sebres pinned this issue Jan 10, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wish: fail2ban-regex with --print-all-matched-and-action #2036

Wish: fail2ban-regex with --print-all-matched-and-action #2036

Wish: fail2ban-regex with --print-all-matched-and-action #2036

Wish: fail2ban-regex with --print-all-matched-and-action #2036

Comments