Setting a custom date pattern

[Noexpert]

Hi,

I'm trying to stop a stream of DNS DDOS attacks.

Firstly, I added a time and date to my BIND log.
So in /etc/named.conf, I added print-time yes;

logging {
    channel default_debug {
            file "data/named.run";
            severity dynamic;
            print-time yes;
    };

In /var/named/data/named.run, this adds 21-Dec-2015 21:35:22.843 in front of entries, such as client 82.118.233.142#4444: query (cache) 'cpsc.gov/ANY/IN' denied

Now, I've added the following to my /etc/fail2ban/jail.local:

[named-refused-udp]
enabled   = true
port      = domain,953
protocol  = udp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath  = /var/named/data/named.run
datepattern = %d-%b-%Y %H:%M:%S.%N 

[named-refused-tcp]
enabled   = true
port      = domain,953
protocol  = tcp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath  = /var/named/data/named.run
datepattern = %d-%b-%Y %H:%M:%S.%N

However, I think my datepattern format is wrong, because in /var/log/logwatch.log I can see:

2015-12-21 22:09:41,417 fail2ban.filter         [22545]: WARNING Found a match for u"client 82.118.233.142#4444: query (cache) 'cpsc.gov/ANY/IN' denied" but no valid date/time found for u"client 82.118.233.142#4444: query (cache) 'cpsc.gov/ANY/IN' denied". Please try setting a custom date pattern (see man page jail.conf(5)). If format is complex, please file a detailed issue on https://github.com/fail2ban/fail2ban/issues in order to get support for this format.

and

2015-12-21 22:09:41,425 fail2ban.filter         [22545]: ERROR   findFailure failed to parse timeText: 21-Dec-2015 20:21:11.437 z

Can someone please help?

Thanks

[sebres]

Your fail2ban version?

Because this format should be a standard format (at least since v.0.9), so just remove (or comment with #) lines with datepattern.

If I correct understood the output of fail2ban-regex for your date format, in v.0.9 will be used this one (see below the whole output):

datepattern = %d(?P<_sep>[-/])%b(?P=_sep)%Y[ :]?%H:%M:%S(?:\.%f)?(?: %z)?

Or little bit simplified for exact that you have:

datepattern = %d-%b-%Y %H:%M:%S.%f

You can any time test your own format using:

fail2ban-regex -d "%d-%b-%Y %H:%M:%S.%f" <LOG> <FILTER>

Example v.0.9.3 with standard dateformats:

$ fail2ban-regex "21-Dec-2015 21:35:22.843 client 1.2.3.4#40278 (example.com): query (cache) 'example.com/A/IN' denied" ./config/filter.d/named-refused.conf
/usr/bin/python | (2, 7, '2.7.6 (default, Jun 22 2015, 17:58:13) \n[GCC 4.8.2]')

Running tests
=============

Use   failregex filter file : named-refused, basedir: ./config
Use      single line : 21-Dec-2015 21:35:22.843 client 1.2.3.4#40278 (exa...


Results
=======

Failregex: 1 total
...
Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

$ fail2ban-regex -d "%d-%b-%Y %H:%M:%S.%f" "21-Dec-2015 21:35:22.843 client 1.2.3.4#40278 (example.com): query (cache) 'example.com/A/IN' denied" ./config/filter.d/named-refused.conf
/usr/bin/python | (2, 7, '2.7.6 (default, Jun 22 2015, 17:58:13) \n[GCC 4.8.2]')

Running tests
=============

Use      datepattern : Day-MON-Year 24hour:Minute:Second.Microseconds
Use   failregex filter file : named-refused, basedir: ./config
Use      single line : 21-Dec-2015 21:35:22.843 client 1.2.3.4#40278 (exa...


Results
=======

Failregex: 1 total
...
Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Day-MON-Year 24hour:Minute:Second.Microseconds
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]