I have tried many regular expressions in fail2ban config, but it never return any matches.
Line example:
[2019-12-10 10:45:38] NOTICE[15077] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:Cant@178.216.162.105>' failed for '195.154.214.141:53360' (callid: 1570242695-1186607423-1664578181) - No matching endpoint found
Fail2Ban asterisk config:
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
fail2ban-regex output:
Running tests
=============
Use failregex filter file : asterisk, basedir: /etc/fail2ban
Use log file : /var/log/asterisk/messages
Use encoding : UTF-8
Results
=======
Failregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [157969] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
| [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
| [0] (?:DAY )?MON Day Year 24hour:Minute:Second(?:\.Microseconds)?
| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
| [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] Month/Day/Year:24hour:Minute:Second
| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
| [0] TAI64N
| [0] Epoch
| [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
| [0] ^24hour:Minute:Second
| [0] ^<Month/Day/Year2@24hour:Minute:Second>
| [0] ^Year2MonthDay ?24hour:Minute:Second
| [0] MON Day, Year 12hour:Minute:Second AMPM
| [0] ^MON-Day-Year2 24hour:Minute:Second
`-
Lines: 159081 lines, 0 ignored, 0 matched, 159081 missed
[processed in 53.87 sec]
What am I doing wrong?
UPD1
It doesn't find anything even if expression is copied from log:
Results
=======
Failregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] \[2019-12-10 10:45:38\] NOTICE\[15077\] res_pjsip/pjsip_distributor\.c: Request 'INVITE' from '<sip:Cant@178\.216\.162\.105>' failed for '<HOST>:53360' \(callid: 1570242695-1186607423-1664578181\) - No matching endpoint found
`-
Also my python version is:
# python -V
Python 2.7.13
UPD2
After a lot of tries, i made it work with this regexp:
failregex = NOTICE\[.+?\] res_pjsip/pjsip_distributor\.c: Request '(INVITE|REGISTER)' from '.+?' failed for '<HOST>:.*?' \(callid: .+?\) - .*