fail2ban-regex does not match

Question

can you tell me why my regex is not matching? i tested it with the commandline tool fail2ban-regex:

fail2ban-regex "01:53:56 114.119.167.52 mydomain.de:80 GET /file.php  404 " "^.* <HOST> .* 404 .*$"

|- Missed line(s):
|  01:53:56 114.119.167.52 mydomain.de:80 GET /file.php  404
`-

yes, <HOST> is a template variable from fail2ban, it gets the value of the ip address at this position of the line in the log. then fail2ban can add an iptables blocking rule for this ip address. wiki.ubuntuusers.de/fail2ban — stefan-eibl
404 .*$ won't match unless there's a space after the 404, you should likely remove the space from the pattern — Aaron
if <HOST> doesn't include the port you must also remove the space after it so that the .* that follows can match the :80 — Aaron
i dont know why but now it works. i tested another minimized pattern, which is all i need, just match any 404 and get the host ip and block it. — stefan-eibl

stefan-eibl stefan-eibl · Accepted Answer · 2020-02-22T11:32:21

i dont know why but now it works. i tested another minimized pattern, which is all i need, just match any 404 and get the host ip and block it. here is the code:

root@raspi:~# fail2ban-regex "01:53:56 114.119.167.52 mydomain.de:80 GET /file.php  404 " "<HOST>.* 404"
Lines: 1 lines, 0 ignored, 1 matched, 0 missed

now i have to test it if it works real too, in the fail2ban server or client or how this thing is called... ...now tested and works in real on the server. so, all this overcorrect line start and line end regex-klimbim which stands in all the internet examples is all not needed and makes it not working.

fail2ban-regex does not match

1 Answers