search

ehlesp / smallab-k8s-pve-guide

A guide series explaining how to setup a personal small homelab running a Kubernetes cluster with VMs on a Proxmox VE standalone server node.
Other
800 stars 139 forks source link

Mistake in Regex for proxmox fail2ban #15

Closed ayoahha closed 1 month ago

ayoahha commented 6 months ago

Where's the issue located

What's the problem

regex failregex is failing when we test against daemon.log (journalctl compliancy):

root@pve:~# fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf

Running tests
=============

Use   failregex filter file : proxmox, basedir: /etc/fail2ban
ERROR: Unable to compile regular expression 'pvedaemon[.authentication (verification )?failure; rhost=(?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w)) user=. msg=.*':
unbalanced parenthesis at position 146

CURRENT REGEX block in /etc/fail2ban/filter.d/proxmox.conf:

[Definition]
failregex = pvedaemon\[.*authentication (verification )?failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

SHOULD BE INSTEAD in /etc/fail2ban/filter.d/proxmox.conf:

[Definition]
failregex = pvedaemon\[[0-9]+\]: authentication (verification )?failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

HO, and i cannot forget to THANK YOU for this wonderful guide ! You made a massive work, and much much appreciated.

ehlesp commented 6 months ago

Hi @ayoahha and thanks for pointing this issue out!

Before I apply the fix you suggest, I must ask if you've seen this happen with the software versions specified in the guide or when working with newer ones. Depending on the scenario, I'll have to apply a different approach to fix (or just warn about) this problem.

ayoahha commented 5 months ago

Hi @ayoahha and thanks for pointing this issue out!

Before I apply the fix you suggest, I must ask if you've seen this happen with the software versions specified in the guide or when working with newer ones. Depending on the scenario, I'll have to apply a different approach to fix (or just warn about) this problem.

Oh sorry i did not have the notification of your reply

Yes you are correct : this issue is for proxmox 8 (8.1.4 to be exact). But the current regex seems in any case very weird, isn(t it ?

ehlesp commented 5 months ago

The regex might look strange to you @ayoahha because it uses a catchall expression (.*) instead of the more elaborate version you propose ([0-9]+\]:). I don't remember if I copied this regex from somewhere, but my version just tries to capture anything that appears between the pvedaemon\[ and the authentication strings. It doesn't really matter what's between those strings, since the remainder of the string is what is going to tell the difference of the authentication verification failure lines from other log lines.

I've noticed that, in the ERROR you've posted in this issue's description, the regex is wrong because it's missing the catchall expression (.*). I'd suggest you try again in your setup with the regex in the guide, but paying attention to enter the regex without missing anything.

ehlesp commented 1 month ago

I close this issue since there's no apparent problem with the regex itself, but seems more of an issue of just entering it right in your configuration @ayoahha . Your alternative looks good too, but I prefer the catchall just in case an unexpected new character may appear there in the future.