I felt so stupid to not have thought of it earlier, maybe I can spare you some time by writing this.
As you probably know, fail2ban can match multi-line regular expressions, you can simply use \n to match a newline character.
I had developed and tested such a regex using https://regex101.com/ I can recommend that site, it is a big help.
Once the tests were successful, I wrote a fail2ban filter and tested it using fail2ban-regex. No joy. I shortened the regular expression until I got a match. But as soon as I added anything, even a dot to match any character, I got no matches again.
I have no idea why it took me so long to remember that fail2ban will by default only pass a single line to the regex, so any multi-line regex is bound to fail.
This is easy to fix: after passeing the maxlines parameter to fail2ban-regex, the filter worked as designed. Then I only had to set the same parameter in the jail definition and was done.
So, when writing multi-line regular expressions for fail2ban, I hope you will be quicker than me to remember setting maxlines.
No comments:
Post a Comment