[SOLVED] request help understanding: IndexError('string index out of range',)

[Eeel-12]

I recenlty switched to Fail2ban v0.11.2 and everything works fine except my jail for NX Nomachine

[nxd]

enabled  = true
port     = 4000
filter   = nxd
logpath  = /usr/NX/var/log/nxd.log
maxretry = 5 
action   = iptables-allports
findtime = 4h
bantime  = 24h

The parsed log file:

Info: Server started with pid 30111 on Sun Dec 19 23:08:37 2021.
Info: Listening for connections on any interface on port 4000.
Info: Accepting connections from any host with encryption enabled.
Info: Server with pid 30111 terminated by signal 15 on Mon Dec 20 01:16:16 2021.
Info: Server started with pid 2005 on Mon Dec 20 09:00:00 2021.
Info: Listening for connections on any interface on port 4000.
Info: Accepting connections from any host with encryption enabled.
Info: Connection from 64.208.250.100 port 45658 accepted on Mon Dec 20 11:45:41 2021.
Info: Connection from 64.208.250.100 port 45658 process 8138 started on Mon Dec 20 11:45:41 2021.
Info: Connection from 64.208.250.100 port 45658 process 8138 closed on Mon Dec 20 13:02:43 2021.
Info: Connection from 64.208.250.100 port 45660 accepted on Mon Dec 20 13:32:53 2021.
Info: Connection from 64.208.250.100 port 45660 process 29409 started on Mon Dec 20 13:32:53 2021.
Info: Connection from 64.208.250.100 port 45664 accepted on Mon Dec 20 17:36:03 2021.
Info: Connection from 64.208.250.100 port 45664 process 14089 started on Mon Dec 20 17:36:03 2021.
Info: Connection from 64.208.250.100 port 45660 process 29409 closed on Mon Dec 20 17:36:07 2021.
Info: Connection from 64.208.250.100 port 45664 process 14089 closed on Mon Dec 20 18:54:27 2021.
Info: Server with pid 2005 terminated by signal 15 on Tue Dec 21 00:13:10 2021.
Info: Server started with pid 2019 on Tue Dec 21 06:59:27 2021.
Info: Listening for connections on any interface on port 4000.
Info: Accepting connections from any host with encryption enabled.
Info: Connection from 64.208.250.100 port 36128 accepted on Tue Dec 21 09:31:26 2021.
Info: Connection from 64.208.250.100 port 36128 process 5894 started on Tue Dec 21 09:31:26 2021.
Info: Connection from 64.208.250.100 port 36128 process 5894 closed on Tue Dec 21 09:52:01 2021.
Info: Connection from 64.208.250.100 port 36130 accepted on Tue Dec 21 10:59:17 2021.
Info: Connection from 64.208.250.100 port 36130 process 9534 started on Tue Dec 21 10:59:17 2021.
Info: Connection from 64.208.250.100 port 36130 process 9534 closed on Tue Dec 21 11:16:14 2021.
Info: Server with pid 2019 terminated by signal 15 on Tue Dec 21 11:16:27 2021.
Info: Server started with pid 2008 on Tue Dec 21 11:17:36 2021.
Info: Listening for connections on any interface on port 4000.
Info: Accepting connections from any host with encryption enabled.
Info: Connection from 64.208.250.100 port 38956 accepted on Tue Dec 21 11:50:27 2021.
Info: Connection from 64.208.250.100 port 38956 process 2854 started on Tue Dec 21 11:50:27 2021.
Info: Connection from 64.208.250.100 port 58730 accepted on Tue Dec 21 12:14:14 2021.
Info: Connection from 64.208.250.100 port 58730 process 4692 started on Tue Dec 21 12:14:14 2021.
Info: Connection from 64.208.250.100 port 38956 process 2854 closed on Tue Dec 21 12:14:26 2021.
Info: Connection from 64.208.250.100 port 58752 accepted on Tue Dec 21 12:26:20 2021.
Info: Connection from 64.208.250.100 port 58752 process 5616 started on Tue Dec 21 12:26:20 2021.
Info: Connection from 64.208.250.100 port 58730 process 4692 closed on Tue Dec 21 12:26:31 2021.

Nomachine provide a filter:

[Definition]

failregex = ^Info: Connection from <HOST> port \d+ accepted on.*$

ignoreregex =

fail2ban error log:

2021-12-21 12:21:04,795 fail2ban.filter         [5415]: INFO    [nxd] Found 64.208.250.100 - 2021-12-21 09:31:26
2021-12-21 12:21:04,798 fail2ban.filter         [5415]: ERROR   Failed to process line: u'Info: Connection from 64.208.250.100 port 36130 accepted on Tue Dec 21 10:59:17 2021.', caught exception: IndexError('string index out of range',)
2021-12-21 12:21:06,804 fail2ban.filter         [5415]: INFO    [nxd] Found 64.208.250.100 - 2021-12-21 11:50:27
2021-12-21 12:21:06,805 fail2ban.filter         [5415]: INFO    [nxd] Found 64.208.250.100 - 2021-12-21 12:14:14
2021-12-21 12:21:07,145 fail2ban.actions        [5415]: NOTICE  [nxd] Ban 64.208.250.100
2021-12-21 12:25:40,430 fail2ban.actions        [5415]: NOTICE  [nxd] Unban 64.208.250.100
2021-12-21 12:26:35,169 fail2ban.filter         [5415]: ERROR   Failed to process line: u'Info: Connection from 64.208.250.100 port 58752 accepted on Tue Dec 21 12:26:20 2021.', caught exception: IndexError('string index out of range',)

Running fail2ban-regex report errors

# fail2ban-regex /usr/NX/var/log/nxd.log /etc/fail2ban/filter.d/nxd.conf

Running tests
=============

Use   failregex filter file : nxd, basedir: /etc/fail2ban
Use         log file : /usr/NX/var/log/nxd.log
Use         encoding : UTF-8

Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 34, in <module>
    exec_command_line()
  File "/usr/lib64/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 836, in exec_command_line
    if not fail2banRegex.start(args):
  File "/usr/lib64/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 776, in start
    self.process(test_lines)
  File "/usr/lib64/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 584, in process
    line_datetimestripped, ret, is_ignored = self.testRegex(line)
  File "/usr/lib64/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 456, in testRegex
    found = self._filter.processLine(line, date)
  File "/usr/lib64/python2.7/site-packages/fail2ban/server/filter.py", line 613, in processLine
    timeMatch = self.dateDetector.matchTime(line)
  File "/usr/lib64/python2.7/site-packages/fail2ban/server/datedetector.py", line 371, in matchTime
    (line[endpos-1] == self.__lastEndPos[1] and not self.__lastEndPos[1].isalnum())
IndexError: string index out of range

I see thread here on Github with same error message but did not really undestood what is going on.

Computer is running Slackware -current (15). Slackware fail2ban package build script is located here

[sebres]

string index out of range

This is known (and already fixed) bug...
See #3020 (comment)

You could avoid it without patching the fail2ban using more precise anchored datepattern:

[Definition]
datepattern = \son (?:%%a )?%%b %%d %%k:%%M:%%S(?:\.%%f)?(?: %%Y)?\.$
failregex = ^Info: Connection from <ADDR>

Nomachine provide a filter

Strange filter... how it is intended to work without false positives, for instance shall ignore legitimate users connecting more than 5 times in 4 hours (related to your jail settings).

but did not really undestood what is going on

Fail2ban extracts the date matching some (default) datepattern (needed to consider the time of failure), but since the time is at end of string (really "bad" practice for logging) it is variable in its position, so fail2ban had troubles to check whether the pattern found something looking like a timestamp by unanchored pattern (protection against injection on foreign user input).
As already said it was a bug, but fortunately you're able to circumvent it.

[Eeel-12]

Thank you Sebres for your very quick feedback.

Adding datepattern fixed the errors.

I miss configured the nxd jail, this is what Nomachine recommend here thanks for pointing it.

[nxd]

enabled  = true
port     = 4000
filter   = nxd
logpath  = /usr/NX/var/log/nxd.log
maxretry = 20
action   = iptables-allports
findtime = 5
bantime  = 600

I will post the datepattern you provided on the Nomachine forum