Fail2ban regex for special log format

Question

I have a log file with lines that look like this:

2019-12-21 20:30:02 index [WARNING]: authenticate: failed login attempt {"action":"login","username":"tgbtgbtgbtgb","ip":"61.142.184.152"} - {"file":"Login.php","line":147, ...

I set up a filter in Fail2ban with the following regex:

\"%Y-%m-%d %H:%M:%S\" index [WARNING]: authenticate: failed login attempt {\"action\":\"login\",\"username\":\".*\",\"ip\":\"<HOST>\".*

Unfortunately, Fail2ban can't catch the failed log in attempts based on the regex above. What can be wrong ?

The configuration block in /etc/fail2ban/jail.local is:

[appname]
enabled  = true
filter   = appname
logpath  = /path/to/logfile.log
port     = 80,443
maxretry = 3
bantime = 259200

Also, the log file is readable by Fail2ban. Thank you for your help!

sebres sebres · Accepted Answer · 2019-12-23T15:34:37

Fail2ban removes timestamp matched datepattern from the string before the search for match of failregex begins.
So you can just remove \"%Y-%m-%d %H:%M:%S\".

Or better use something like this:

failregex = ^\s*\S*\s+\[WARNING\]: authenticate: failed login attempt \{(?:"(?!ip")[^"]+":(?:"(?:[^"]|\\")*(?!\\)"|[^,]*),\s*)*"ip":"<HOST>"

This is a bit more safe - ahead anchored, as well as it would match if part that looks like json would change in-between (order of tags, etc).
Part (?:"(?!ip")[^"]+":(?:"(?:[^"]|\\")*(?!\\)"|[^,]*),\s*)* is a "simple" matcher for json dict elements bypassing any tag excepting "ip".

Fail2ban regex for special log format

1 Answers