[contribteam] [Bug 8645] AuthExtern pwauth failures not been logged by fail2ban jail http-auth

[bugzilla-daemon]

==================================================================
  Please DO NOT REPLY to this mail or send email to the developers
  about this bug. Please follow-up to Bugzilla using this link:
    http://bugs.contribs.org/show_bug.cgi?id=8645

  Have you checked the Frequently Asked Questions (FAQ)?
    http://wiki.contribs.org/SME_Server:Documentation:FAQ

  Please also take the time to read the following useful guide:
    http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
==================================================================

            Bug ID: 8645
           Summary: AuthExtern pwauth failures not been logged by fail2ban
                    jail http-auth
    Classification: Contribs
           Product: SME Contribs
           Version: 8.1
          Hardware: ---
                OS: ---
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: smeserver-fail2ban
          Assignee: dan...@firewall-services.com
          Reporter: black...@gmail.com
        QA Contact: contribteam@lists.contribs.org

I have smeserver-fail2ban installed : smeserver-fail2ban-0.1.7-1.el5.fws

with following config :

fail2ban=service
    BanTime=604800
    FindTime=3600
    Mail=enabled
    MailRecipient=admin
    status=enabled

Jail.
[DEFAULT]
ignoreip = 127.0.0.0/8 192.168.1.1 192.168.1.0/24
bantime  = 604800
findtime  = 3600
maxretry = 3
usedns = yes
backend = auto


I have an ibay that's set as and requires authentication:
Public access via web or anonymous ftp : Entire Internet(password required)
Execution of dynamic content (CGI, PHP, SSI) : Enabled

I am Testing to see if fail2ban will find the failed logon attempts :

To do so I have a putty ssh terminal open that is monitoring
/var/log/httpd/error_log

I deliberately enter incorrect authentication details and see the following in
the /var/log/httpd/error_log

[Wed Nov 05 23:05:17 2014] [error] [client 197.85.xxx.xxx] AuthExtern pwauth
[/usr/lib/httpd/modules/pwauth]: Failed (1) for user abc
[Wed Nov 05 23:05:38 2014] [error] [client 197.85.xxx.xxx] AuthExtern pwauth
[/usr/lib/httpd/modules/pwauth]: Failed (1) for user abc
[Wed Nov 05 23:05:49 2014] [error] [client 197.85.xxx.xxx] AuthExtern pwauth
[/usr/lib/httpd/modules/pwauth]: Failed (1) for user abc
[Wed Nov 05 23:06:03 2014] [error] [client 197.85.xxx.xxx] AuthExtern pwauth
[/usr/lib/httpd/modules/pwauth]: Failed (1) for user abc
[Wed Nov 05 23:32:13 2014] [error] [client 197.85.xxx.xxx] AuthExtern pwauth
[/usr/lib/httpd/modules/pwauth]: Failed (1) for user abc

It seems that the failures are not logged.

Check fail2ban :
Status for the jail: http-auth
|- filter
|  |- File list:        /var/log/httpd/error_log
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

Check the regex

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/apache-auth.conf
Use         log file : /var/log/httpd/error_log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [142] WEEKDAY MONTH Day Hour:Minute:Second Year
`-

Lines: 142 lines, 0 ignored, 0 matched, 142 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 142
lines


Checking whats missed : ( Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/apache-auth.conf
Use         log file : /var/log/httpd/error_log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [142] WEEKDAY MONTH Day Hour:Minute:Second Year
`-

Lines: 142 lines, 0 ignored, 0 matched, 142 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 142
lines


Checking whats missed via : ( Use --print-all-missed to print all 142 lines )

...
|  [Wed Nov 05 23:05:17 2014] [error] [client 197.85.xxx.xxx] AuthExtern pwauth
[/usr/lib/httpd/modules/pwauth]: Failed (1) for user abc
|  [Wed Nov 05 23:05:38 2014] [error] [client 197.85.xxx.xxx] AuthExtern pwauth
[/usr/lib/httpd/modules/pwauth]: Failed (1) for user abc
|  [Wed Nov 05 23:05:49 2014] [error] [client 197.85.xxx.xxx] AuthExtern pwauth
[/usr/lib/httpd/modules/pwauth]: Failed (1) for user abc
|  [Wed Nov 05 23:06:03 2014] [error] [client 197.85.xxx.xxx] AuthExtern pwauth
[/usr/lib/httpd/modules/pwauth]: Failed (1) for user abc
...


It seems that the failregex expressions in filter.d/apache-auth.conf are not
picking up the failures ?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail contribteam-unsubscr...@lists.contribs.org
Searchable archive at http://lists.contribs.org/mailman/public/contribteam/