Serg G. Brester

Potential buffer overflow in SFXSetup/SfxSetup.cpp

Fewer than that from django (since the host takes place before any foreign input), but yes, it is. Because 301/400/404 could be theoretically everywhere in string (part of URI, agent etc), so a false positive for legitimate requests would be possible. To avoid that it must have no catch-all before response code, for instance like this: failregex = ^<ADDR> \S+ \S+(?: \[\])? "[^"]*" (?:301|40[04])\b And you don't need 3 RE's here (just enclose deviating parts into (?: ... ), separated by |).

Fewer than that from django (since the host takes place before any foreign input), but yes, it is. Because 301/404/404 could be theoretically everywhere in string (part of URI, agent etc), so a false positive for legitimate requests would be possible. To avoid that it must have no catch-all before response code, for instance like this: failregex = ^<ADDR> \S+ \S+(?: \[\])? "\w+ [^"]*" (?:301|40[04])\b And you don't need 3 RE's here (just enclose deviating parts into (?: ... ), separated by |).

Fewer than that from django (since the host takes place before any foreign input), but yes, it is. Because 301/404/404 could be theoretically everywhere in string (part of URI, agent etc), so a false positive for legitimate requests would be possible. To avoid that it must have no catch-all before response code, for instance like this: failregex = ^<ADDR> \S+ \S+(?: \[\])? "\w+ [^"]*" (?:301|40[04]) And you don't need 3 RE's here (just enclose deviating parts into (?: ... ), separated by |).

it is OK? No! This regex is vulnerable, since due to 2 catch-all's and unanchored matter can match the IP everywhere (e. g. in foreign input too). So it has several issues starting with performance and ending with certain vector for an injection on forign input. And ^.* is not an anchor at all (it can be removed and would change nothing), because this 2 regex are quasi equivalent: - ^.*something + something

Fail2Ban Config Examples

failregex

In case the tags in info structure (JSON5?) are always given in this order (and there are no other tags in-between) you can use this one: failregex = ^\s*WARNING AXES: (?:New|Repeated) login failure by \{username: "<F-USER>[^"]+</F-USER>", ip_address: "<ADDR>" Otherwise you could use something like that: failregex = ^\s*WARNING AXES: (?:New|Repeated) login failure by \{(?:(?:username: "<F-USER>[^"]+</F-USER>"|ip_address: "<ADDR>"|\S+: (?:"[^"]*"|[^\s,]+))(?:,\s*|\}))+ If AXES is some dynamic data...