mysqld-auth not working due to format change #1211
Comments
|
Can you provide an example for that log entry (include it between |
|
Sorry, I created the issue while logged into the wrong github account. Here is the new format: and here is the old one for comparison: |
sebres
added a commit
to sebres/fail2ban
that referenced
this issue
Oct 7, 2015
|
Fixed in #1212, Thanks to @justinjameshayes (@noramtkane) |
yarikoptic
added a commit
that referenced
this issue
Mar 8, 2016
ver. 0.9.4 (2016/03/08) - for-you-ladies ----------- - Fixes: * roundcube-auth jail typo for logpath * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164) * filter.d/apache-badbots.conf - Updated useragent string regex adding escape for `+` * filter.d/mysqld-auth.conf - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332) * filter.d/sshd.conf - Updated "Auth fail" regex for OpenSSH 5.9 and later * Treat failed and killed execution of commands identically (only different log messages), which addresses different behavior on different exit codes of dash and bash (gh-1155) * Fix jail.conf.5 man's section (gh-1226) * Fixed default banaction for allports jails like pam-generic, recidive, etc with new default variable `banaction_allports` (gh-1216) * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character for python version < 3.x (gh-1248) * Use postfix_log logpath for postfix-rbl jail * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271) * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now) * Removed compression and rotation count from logrotate (inherit them from the global logrotate config) - New Features: * New interpolation feature for definition config readers - `<known/parameter>` (means last known init definition of filters or actions with name `parameter`). This interpolation makes possible to extend a parameters of stock filter or action directly in jail inside jail.local file, without creating a separately filter.d/*.local file. As extension to interpolation `%(known/parameter)s`, that does not works for filter and action init parameters * New actions: - nftables-multiport and nftables-allports - filtering using nftables framework. Note: it requires a pre-existing chain for the filtering rule. * New filters: - openhab - domotic software authentication failure with the rest api and web interface (gh-1223) - nginx-limit-req - ban hosts, that were failed through nginx by limit request processing rate (ngx_http_limit_req_module) - murmur - ban hosts that repeatedly attempt to connect to murmur/mumble-server with an invalid server password or certificate. - haproxy-http-auth - filter to match failed HTTP Authentications against a HAProxy server * New jails: - murmur - bans TCP and UDP from the bad host on the default murmur port. * sshd filter got new failregex to match "maximum authentication attempts exceeded" (introduced in openssh 6.8) * Added filter for Mac OS screen sharing (VNC) daemon - Enhancements: * Do not rotate empty log files * Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59) http://bugs.debian.org/798923 * Added openSUSE path configuration (Thanks Johannes Weberhofer) * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197) * Added a timeout (3 sec) to urlopen within badips.py action (Thanks M. Maraun) * Added check against atacker's Googlebot PTR fake records (Thanks Pablo Rodriguez Fernandez) * Enhance filter against atacker's Googlebot PTR fake records (gh-1226) * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237) * Added filter for openhab domotic software authentication failure with the rest api and web interface (gh-1223) * Add *_backend options for services to allow distros to set the default backend per service, set default to systemd for Fedora as appropriate * Performance improvements while monitoring large number of files (gh-1265). Use associative array (dict) for monitored log files to speed up lookup operations. Thanks @kshetragia * Specified that fail2ban is PartOf iptables.service firewalld.service in .service file -- would reload fail2ban if those services are restarted * Provides new default `fail2ban_version` and interpolation variable `fail2ban_agent` in jail.conf * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, and to support multiple instances of postfix having varying suffix (gh-1331) (Thanks Tom Hendrikx) * files/gentoo-initd to use start-stop-daemon to robustify restarting the service * tag '0.9.4': (138 commits) MANIFEST RELEASE and man pages updates Changes for the 0.9.4 release datedetector: epoch time expression fix (now 10-11 chars, only whole number - anchored ^...\b or by special case within [], audit()) + test cases extended (positive/negative) changelog about gentoo initd added wp-admin ENH(TST): a hypothetical example to show/test needing trailing anchoring ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf Changelog for the recent PR and added Tom to THANKS mysqld: failregex fixed (accepts different log level, more secure expression now); closes #1332 Add support for matching postfix multi-instance daemon names by default DOC: removed Nick from listed as FreeBSD maintainer DOC: adjusted ISSUE_TEMPLATE.md picking on @sebres's version ENH: github templates for issues and PRs ENH: add codecov support to travis.yml and bandge to README.md gentoo-initd: Use start-stop-daemon in order to handle crashes better regexp rewritten (few vulnerable as previous) + test case added Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number. Closes #1309 Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command Remove compression and count from logrotate gentoo-initd: do not hide useful output ...
|
Hai, this regex cant match my maria db log, this is my log My sql log have 2 spasi after date. Thanks u for helping. |
|
@zchellpy I tested it with current 0.10 - works as expected. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was having problems with mysql 5.6 error logs and found this:
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-9.html
"mysqld now writes dates to the error log in ISO (YYYY-MM-DD hh:mm:ss) format. It also includes its process ID following the date. Thanks to Davi Arnaut for the patch. (Bug #56240, Bug #11763523)"
So there really should have two separate filters
This is what I'm using for the new format:
failregex = ^%(__prefix_line)s(\d{4}-\d{2}-\d{2}\s?\d{2}:\d{2}:\d{2} )?\s?\d+\s[Warning] Access denied for user '\w+'@'' (to database '[^']'|(using password: (YES|NO)))\s*$
The text was updated successfully, but these errors were encountered: