fail2ban haproxy regex

Question

by using fail2ban I want to block IPs which match with error 429 in haproxy log.

by using fail2ban I want to block IPs which match with error 429 in haproxy log. I already tried below regex but didn't work. You suggestion is appreciated

failregex = .*:<HOST>(?::\d+)?\s+.*\d* 429

failregex = ^%(__prefix_line)s<HOST>(?::\d+)?\s+.*<NOSRV> -1/-1/-1/-1/\+*\d* 429

Sample haproxy log

Feb 16 07:43:51 ip-10-100-212-165 haproxy[1624130]: 158.118.198.219:42990 [16/Feb/2023:07:43:50.242] r_a_i~ it_backup_server/it-server-04-de 0/0/0/1181/1181 429 4436 - - --NI 1211/1210/38/13/0 0/0 "POST / HTTP/1.1"

Answer 1

you should adjust the regex into something more generic, like this:

^<HOST>.*\s429\s

Answer 2

I followed the fail2ban-regex documentation and used the -D option to generate a Debugexx link. It expands the <HOST> clause to something like (?P<ip4>...)|(?P<ip6>...)|(?P<dns>...).

.*:<HOST>(?::\d+)?\s+.*\d* 429

# captured group: 42997 - WRONG

Here we can see that for some reason, the host is matching to the port part, which is obviously wrong. I guessed that the extra colons : at the beginning of the line confused the date matching and host match.

Then, I tried with adding a clear separation between the date and the host:

^.* haproxy\[\d+\]: <HOST>(?::\d+)?\s+.*\d* 429

# captured group: 158.118.198.219 - GOOD

... and it matched the address properly. You can try this in debugexx in the expanded form.

At the end, I came back and found out that you were missing a space between the first colon : and <HOST>! In your example, the address context is haproxy[1234]: <host> and not haproxy[1234]:<host>

.*: <HOST>(?::\d+)?\s+.*\d* 429

# captured group: 158.118.198.219 - GOOD

try this simpler solution in debugexx

Please, try it in your system and tell us if it works!