i update my fail2ban from 0.9.x to 0.10.x
And after that my custom filter doesn´t work anymore The function with this filter is that is ban ip after 4 hits on 404-page ( page not found ) on apache
I found a problem in failregex.
2018-08-22 15:45:32,440 fail2ban.transmitter [23452]: WARNING Command ['set', 'apache-40', 'addfailregex', '(?P<host>[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}) .+ 4[0-9]{1,2} [0-9]+ "'] has failed. Received RegexException('No failure-id group in \'(?P<host>[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}) .+ 4[0-9]{1,2} [0-9]+ "\'',)
2018-08-22 15:45:32,440 fail2ban [23452]: ERROR NOK: ('No failure-id group in \'(?P<host>[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}) .+ 4[0-9]{1,2} [0-9]+ "\'',)
In this post i found something about that i need to add a new string beacuse ip6-support https://github.com/fail2ban/fail2ban/issues/2130#issuecomment-391680328
my originalfile is this
[Definition]
failregex = (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 4[0-9]{1,2} [0-9]+ "
ignoreregex = favicon\.ico
Any suggestion gor the new string ?
<HOST>is there for failregex's to match IP address so you don't need to write your own. Additionally your "regex" is susceptible to DoS attacks. Honestly don't waste your CPU on banning 404 messages, its just just background noise. If you don't like seeing them, configure locations that don't log. Using fail2ban to reduce weblogs isn't actually providing a security benefit. You're just burning though CPU, especially with your regexes, and taking that away from your legitimate users. - danblack