fail2ban's logpath supports regex (regular expressions)

3 min

language: ja bn en es hi pt ru zh-cn zh-tw

Hello, I'm incompetent.
When log rotation settings differ for each *nix-based OS, /var/log/auth.log is quickly archived, and it might not ban anything at all, so it seems regular expressions can be used as follows.

How! to! Use!

:/etc/fail2ban# cat jail.local 
[sshd]
ignoreip = 127.0.0.1/8 ::1
enabled = true
port    = all
logpath = /var/log/auth.log*
bantime = 10w
findtime = 10d
maxretry = 2

Then, if you check with fail2ban-client status sshd:

:/usr/local/etc/fail2ban # fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/auth.log /var/log/auth.log.2.bz2 /var/log/auth.log.1.bz2 /var/log/auth.log.6.bz2 /var/log/auth.log.3.bz2 /var/log/auth.log.4.bz2 /var/log/auth.log.5.bz2 /var/log/auth.log.0.bz2
`- Actions
   |- Currently banned: 158
   |- Total banned:     158

It seems .bz files are also targeted... I wondered if it was looking at them, but thinking normally, that's probably impossible (´・ω・`)
I haven't looked into it in detail yet, but I'd be happy if it's smart enough to look at compressed binaries like zgrep.

Thinking that, I unzipped them with ls auth.log.*.bz2 | xargs bunzip2, and even after restarting fail2ban and checking, the banned IPs didn't change, so it seems it's probably also looking at compressed binary logs.

In software like this, carelessly using regular expressions, especially .*, etc., often consumes unnecessary resources, so I recommend using explicit regular expressions.

Incredible Hezner VPS Machine

Terrifying.

:/etc/fail2ban# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 814
|  |- Total failed:     132602
|  `- File list:        /var/log/auth.log.1 /var/log/auth.log
`- Actions
   |- Currently banned: 2503
   |- Total banned:     2503

2503 IPs...?
I'm happy, it feels like I've obtained a valuable data source. Dos.