fail2ban modsec failregex not working

[simpel]

I noticed by accident when checking jails that de modsec jail has no ip's

fail2ban-client status modsec
Status for the jail: modsec
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/httpd/modsec_audit.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

then i checked my other servers and all modsec jails have nothing banned although the log files are full of modsec bans.

so i ran a check

fail2ban-regex /var/log/httpd/modsec_audit.log /etc/fail2ban/filter.d/apache-modsecurity2.conf

Running tests
=============
Use failregex filter file : apache-modsecurity2, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/httpd/modsec_audit.log
Use encoding : UTF-8

Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 34 lines, 0 ignored, 0 matched, 34 missed
[processed in 0.05 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 34 lines

so no mtaches at all.

then i checked the failregex itself and it looks just fine:

failregex = (?: \[client <HOST>\]) ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d

could anyone who has a working regex share it with me so i can compare?

would be very grateful.

 

[simpel]

I would be very happy if someone could post their working 'failregex' line so i can compare.

thx!

 

[simpel]

really nobody?

 

[simpel]

today i saw there were updates and fail2ban was one of them so i removed the current filter and updated.

new version is 0.11.1 and a new filter was installed... and the regex was a bit different than it was with previous version.

it now is:
failregex = ^%(_apache_error_client)s(?: \[client [^\]]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d

but when running the test... still no hits

checked the fail2ban log and noticed it could not match the date:

[1107]: WARNING Found a match for u'{"transaction":{"time":"02/Aug/2020:10:17:20 +0200",

so i added a custom date format to the filter file:
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z

now at least i got date matches.. but still NO matches on my regex...

fail2ban-regex -vvv /var/log/httpd/modsec_audit.log /etc/fail2ban/filter.d/apache-modsecurity.conf

Running tests
=============

Use failregex filter file : apache-modsecurity, basedir: /etc/fail2ban
Real filter options : {'logtype': 'file', 'datepattern': '%d/%b/%Y:%H:%M:%S %z'}
Use datepattern : Day/MON/Year:24hour:Minute:Second Zone offset
Use log file : /var/log/httpd/modsec_audit.log
Use encoding : UTF-8


Results
=======

Failregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] ^\[\]\s\[?error|\S+:\S+)\]( \[pid \d+\S+ \d+)?\])? \[client <HOST>\d{1,5})?\](?: \[client [^\]]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)
\]\s*)*Access denied with code [45]\d\d
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [21] Day/MON/Year:24hour:Minute:Second Zone offset
`-

Lines: 21 lines, 0 ignored, 0 matched, 21 missed
[processed in 0.00 sec]

Missed line(s): too many to print. Use --print-all-missed to print all 21 lines

the search continues...

 

[simpel]

as a workaround i wrote a regex to manually get all banned ip's from the log files and add them to fail2ban modsec jail.

for all experiencing the same problem you could run this as a cronjob as a temp solution:

#/bin/bash
for i in $(grep -EIo "\[client (([0-9]{1,3}\.){3}[0-9]+)\] ModSecurity: Access denied with code " /var/log/httpd/modsec_audit.log* | sed 's/]//' |cut -d" " -f2 | sort|uniq);do
  fail2ban-client set modsec banip $i
done

edit to suit your needs.