smallab-k8s-pve-guide
smallab-k8s-pve-guide copied to clipboard
ehlesp
Mistake in Regex for proxmox fail2ban
Where's the issue located
- Guides: G010 - Host hardening 04 ~ Enabling Fail2Ban
- Sections: https://github.com/ehlesp/smallab-k8s-pve-guide/blob/main/G010%20-%20Host%20hardening%2004%20~%20Enabling%20Fail2Ban.md#configuring-the-proxmox-ve-jail
What's the problem
regex failregex is failing when we test against daemon.log (journalctl compliancy):
root@pve:~# fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
Running tests
=============
Use failregex filter file : proxmox, basedir: /etc/fail2ban
ERROR: Unable to compile regular expression 'pvedaemon[.authentication (verification )?failure; rhost=(?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w)) user=. msg=.*':
unbalanced parenthesis at position 146
CURRENT REGEX block in /etc/fail2ban/filter.d/proxmox.conf:
[Definition]
failregex = pvedaemon\[.*authentication (verification )?failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
SHOULD BE INSTEAD in /etc/fail2ban/filter.d/proxmox.conf:
[Definition]
failregex = pvedaemon\[[0-9]+\]: authentication (verification )?failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
HO, and i cannot forget to THANK YOU for this wonderful guide ! You made a massive work, and much much appreciated.
Hi @ayoahha and thanks for pointing this issue out!
Before I apply the fix you suggest, I must ask if you've seen this happen with the software versions specified in the guide or when working with newer ones. Depending on the scenario, I'll have to apply a different approach to fix (or just warn about) this problem.
Hi @ayoahha and thanks for pointing this issue out!
Before I apply the fix you suggest, I must ask if you've seen this happen with the software versions specified in the guide or when working with newer ones. Depending on the scenario, I'll have to apply a different approach to fix (or just warn about) this problem.
Oh sorry i did not have the notification of your reply
Yes you are correct : this issue is for proxmox 8 (8.1.4 to be exact). But the current regex seems in any case very weird, isn(t it ?
The regex might look strange to you @ayoahha because it uses a catchall expression (.*) instead of the more elaborate version you propose ([0-9]+\]: ). I don't remember if I copied this regex from somewhere, but my version just tries to capture anything that appears between the pvedaemon\[ and the authentication strings. It doesn't really matter what's between those strings, since the remainder of the string is what is going to tell the difference of the authentication verification failure lines from other log lines.
I've noticed that, in the ERROR you've posted in this issue's description, the regex is wrong because it's missing the catchall expression (.*). I'd suggest you try again in your setup with the regex in the guide, but paying attention to enter the regex without missing anything.
I close this issue since there's no apparent problem with the regex itself, but seems more of an issue of just entering it right in your configuration @ayoahha . Your alternative looks good too, but I prefer the catchall just in case an unexpected new character may appear there in the future.