Closed brantleyp1 closed 1 year ago
It is not a bug, but feature!
Shortly - ignoreregex
doesn't need to be applicated because no one of that messages matching your failregex
.
fail2ban-regex
was rewritten to be more similar to fail2ban-server
, so it uses the same filter-process as the server itself.
Fail2ban (server) always had applied ignoreregex
only if the message matching some failregex
.
With other words - simply consider the output with the missed lines, because failregex
has higher precedence than ignoreregex
.
Just curious then, is ignoreregex going away?
For instance I have an IP running a scan tool that I know generates failed logins, but I don't want it blocked, so instead of regex'ing for
Is ignoreregex processed before or after failregex?
Just curious then, is ignoreregex going away?
No. It doesn't. It is (and always was) applied by successful match with failregex
(what did not matched in your case).
Just fail2ban-regex has a bit different algorithm previously (which is now more similar to fail2ban-server processing).
Is ignoreregex processed before or after failregex?
After and only if it matches.
BTW, abovementioned filter doesn't really need ignoreregex, if failregex will be written more precise (anchored and without catch-all's), for instance
- failregex = Auth: \(.*\) Login incorrect \(.*\): \[.*\] \(from client all_ipv4 port .* cli <HOST>\).*$
+ failregex = ^Auth: \([^\)]*\) Login incorrect \([^\)]*\): \[[^\]]*\] \(from client [^\)]* cli <HOST>\)
Furthermore the ignoreregex .*Auth:.*OK.*$
is extremely vulnerable and if for instance somewhere in foreign user input of incorrect login or invalid user messages will be word OK
, it would mistakenly match, so would be estimable for an intruder and he can use in further requests, so be able to continue attack without to get ban.
For instance I have an IP running a scan tool that I know generates failed logins, but I don't want it blocked, so instead of regex'ing for or \d+... I have the literal IP.
Don't confuse ignoreip
and ignoreregex
- they are different and processed differently.
Additionally note that it is always possible to create a filter without to use ignoreregex
at all.
Either using more precise prefregex
or failregex
or using negative lookahead and lookbehind in the prefregex
or failregex
.
The ignoreregex
is an atavism and it is retained for backwards compatibility reasons.
In general I think I just learned more about how f2b works than my trail and error over the last month, thank you.
As for the ^Auth
anchor, I assumed I needed to leave off the anchor since that is after the timestamp.
Again, thank you for your time.
As for the
^Auth
anchor, I assumed I needed to leave off the anchor since that is after the timestamp.
Well, not really - firstly the timestamp is cut out after matching of datepattern
, so the anchor is totally OK (or probably something like ^\s*Auth
to allow optional spaces after the timestamp). And secondly without the anchor it remains "vulnerable" due to possible foreign input (if it is imaginable, for instance in referrer or agent strings) but at least slow, because without anchor fail2ban would search the match everywhere in string (which can be really long in the access-log, considering repeat of all the branches of RE on every part of string).
Still again - the anchor must be mandatory.
Environment:
Freshly built/updated ubuntu 20.04 and ubuntu 22.04
Both systems running stock Ubuntu repos, both are up to date with latest for their respective buildings
The issue:
I have a custom jail running for freeradius. Trying to get the filtering correct and noticed a difference between how
fail2ban-regex
handles the same config files between the two systems.I'm focusing on ignoreregex at the moment.
Steps to reproduce
On both systems I have a test.log file containing:
A test config containing:
When I run
fail2ban-regex test.log testing_filter.conf
I get different results.From 22.04:
from 20.04:
Note- I get the same with or without the
.*
before Auth in ignoreregex. Also, even if I put an exact timestamp of one of the 3 lines, I still get 0 matches.Expected behavior
I would expect the same results.