Fail2Ban is utterly daft in at least one respect. Here’s me testing a regex on a date format it doesn’t recognise:
# fail2ban-regex '2010-12-14 15:12:31 - 184.108.40.206' ' - <HOST>$' Found a match but no valid date/time found for 2010-12-14 15:12:31 - 220.127.116.11. Please contact the author in order to get support for this format Sorry, no match
And on one that it does:
fail2ban-regex '2010/12/14 15:12:31 - 18.104.22.168' ' - <HOST>$' Success, the following data were found: Date: Tue Dec 14 15:12:31 2010 IP : 22.214.171.124 Date template hits: 0 hit: Month Day Hour:Minute:Second 0 hit: Weekday Month Day Hour:Minute:Second Year 1 hit: Year/Month/Day Hour:Minute:Second 0 hit: Day/Month/Year:Hour:Minute:Second 0 hit: TAI64N 0 hit: Epoch Benchmark. Executing 1000... Performance Avg: 0.10257935523986816 ms Max: 0.125885009765625 ms (Run 8) Min: 0.10085105895996094 ms (Run 780)
Ignoring for the moment the fact that it doesn’t recognise 2010-12-14 15:12:31 (Seriously?)1 , the only way to get that list of date formats is by happening to pick a correct one. As soon as you no longer need a list of date formats you may use, it presents you with one.
So, as an attempted fix for this situation, see above for a list of compatible date formats.
- It’s worth noting, too, that the author is of the opinion that specifying your own date format is too much like hard work, so if you want support for any date format other than those already supported, you’ve to patch it yourself. Which is obviously way easier than just having a date regex in the config file [↩]