Question fail2ban named-refused Jail problem ubuntu 20.04

[shopuser]

at a other installaon with ubuntu 16.04 with plesk i have installed fail2ban with a named-refused jail
I have installed a news system ubuntu 20.04 with plesk and i have a problem with fail2ban .
This jail dosent work in 20.04, but i dont know why:

named-refused.conf

[named-refused]

port = domain,953
logpath = /var/log/named/security.log


named-refused.local

[Definition]
_daemon = named
__pid_re = (?:\[\d+\])
__daemon_re = \(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
__line_prefix = (?:\s\S+ %(__daemon_combs_re)s\s+)?
failregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
    ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
    ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
ignoreregex =

jail.local

....
[named-refused-tcp]
bantime = 31536000
enabled = true
port = domain,953
protocol = tcp
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath = /var/log/syslog

[named-refused-udp]
bantime = 31536000
enabled = true
port = domain,953
protocol = udp
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath = /var/log/syslog


...

 

[hitd]

don't know about ubuntu. I'm running debian 10.9. But also the filter above never matched.
However take a look on /var/log/syslog, my logentries of bind contains a additional field.

Apr 9 18:46:32 xxxxxx named[28173]: client @0x7fbc446193e0 146.88.240.13#45337 (www.wikipedia.org): query (cache) 'www.wikipedia.or
g/A/IN' denied

the @0x7fbc446193e0 part doesn't exist in a log of my Centos 6 Server.

[Definition]
_daemon = named
__pid_re = (?:\[\d+\])
__daemon_re = \(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
__line_prefix = (?:\s\S+ %(__daemon_combs_re)s\s+)?

failregex = ^%(__line_prefix)s( error:)?\s*client( @\S+)? <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '
.*' denied\s*$
    ^%(__line_prefix)s( error:)?\s*client( @\S+)? <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
    ^%(__line_prefix)s( error:)?\s*client( @\S+)? <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone
\(NOTAUTH\)\s*$

ignoreregex =

Added ( @\S+)? after the word client to regex, so it is matching the new @0x7fbc446193e0 part.

PS: adding maxretry = 1 to the jails is a good idea in this case also, i think, because this regex is catching hacker during collecting informations or bind cache poisoning.

 

[si458]

Hi,
im trying to use the regex filter from above to block the pizzaseo.com spam and also other dns spam too but i cant get it to work?

sample lines from /var/log/messages on our centos servers

Aug 31 10:55:49 mail named[828]: client 1.193.219.2#45420: query (cache) 'www.ac.my.blastodermic-swimmable.info/A/IN' denied
Aug 31 10:56:24 mail named[828]: client 34.229.64.157#24668: query (cache) 'WaNtthAtcITy.Co.Uk/AAAA/IN' denied
Aug 31 10:56:30 mail named[828]: client 100.24.210.180#61127: query (cache) 'WanTTHATcITy.CO.Uk/NS/IN' denied
Aug 31 11:22:10 mail named[828]: client 76.91.137.227#6672: query (cache) 'pizzaseo.com/RRSIG/IN' denied

my jail filter reads

[Definition]
_daemon = named
__pid_re = (?:\[\d+\])
__daemon_re = \(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
__line_prefix = (?:\s\S+ %(__daemon_combs_re)s\s+)?
failregex = ^%(__line_prefix)s( error:)?\s*client( @\S+)? <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?:\(cache\))? '.*' denied\s*$
    ^%(__line_prefix)s( error:)?\s*client( @\S+)? <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
    ^%(__line_prefix)s( error:)?\s*client( @\S+)? <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
ignoreregex =

any help would be amazing!

EDIT:
testing regex shows weird results?

[root@mail filter.d]# fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/named-refused.local

Running tests
=============

Use   failregex filter file : named-refused, basedir: /etc/fail2ban
Use         log file : /var/log/messages
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [54190] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 54190 lines, 0 ignored, 0 matched, 54190 missed
[processed in 9.22 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 54190 lines

 

[si458]

ok not sure what i did but its working now,
must of been a typo OR copy+paste issue

[Definition]
_daemon = named
__pid_re = (?:\[\d+\])
__daemon_re = \(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
__line_prefix = (?:\s\S+ %(__daemon_combs_re)s\s+)?
failregex = ^%(__line_prefix)s( error:)?\s*client( @\S+)? <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
ignoreregex =