Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BR]: tag <matches>'s value not well formatted (systemd journal only) #3293

Closed
3 tasks done
wdzeng opened this issue Jun 2, 2022 · 1 comment
Closed
3 tasks done

[BR]: tag <matches>'s value not well formatted (systemd journal only) #3293

wdzeng opened this issue Jun 2, 2022 · 1 comment
Labels
bug

Comments

@wdzeng
Copy link

wdzeng commented Jun 2, 2022
edited
Loading

Environment:

  • Fail2Ban version : 0.11.2
  • OS, including release name/version : Fedora release 35 (Thirty Five)
  • Fail2Ban installed via OS/distribution mechanisms : Yes, installed with dnf
  • You have not applied any additional foreign patches to the codebase
  • Some customizations were done to the configuration (provide details below is so)

The issue:

The value of <matches> tag is not well formatted for sshd service. The value looks like:

2022-06-02T19:58:46.695370example.com sshd[1571006]: Failed password for ......

There should be a space between timestamp and hostname, e.g.:

2022-06-02T19:58:46.695370 example.com sshd[1571006]: Failed password for ......

Steps to reproduce

  1. Install fail2ban.

  2. Create following three files.

    # fail2ban.local
[DEFAULT]
loglevel = DEBUG

    # jail.local
[sshd]
enabled = true
action = test

    # actions.d/test.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = echo "<matches>" >&2
actionunban =

  3. Start fail2ban.

  4. Wait until an IP is banned for sshd service.

  5. View fail2ban.log and we could find that the logs contain message with improper format.

    2022-06-02 19:58:47,115 fail2ban.utils          [1570801]: DEBUG   7faaf3ed7cc0 -- stderr: '2022-06-02T19:58:44.523180example.com sshd[1571006]: ......

Expected behavior

There should be a space between timestamp and hostname.

Observed behavior

A space is missing between timestamp and hostname.

Any additional information

I have examined that if we modify the getMatches function in ticket.py at line 155:

def getMatches(self):
    return [(line if not isinstance(line, (list, tuple)) else " ".join(line).strip()) \
        for line in self._data.get('matches', ())]

then this issue can be fixed, but I am not sure if this edit may cause new problem.
@wdzeng wdzeng added the bug label Jun 2, 2022
@wdzeng wdzeng changed the title [BR]: <matches> logs not well formatted [BR]: tag <matches>'s value not well formatted Jun 2, 2022
@sebres
Copy link
Contributor

sebres commented Jun 2, 2022

Looks like this missing space affects systemd backend only (jails monitoring systemd journal).
I'll fix that soon, thanks for info.
FWIW, there is another similar issue with <matches> tag - #3275 (comment)

@sebres sebres closed this as completed in 5aeb49a Jun 2, 2022
@sebres sebres changed the title [BR]: tag <matches>'s value not well formatted [BR]: tag <matches>'s value not well formatted (systemd journal only) Jun 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebres @wdzeng