Hi,
That's a tricky question…
Le 2014-12-19 13:55, Stephen Colebrook a écrit :
> Hi,
>
> I’m trying to write a filter to capture a username from log entries
> instead of an IP address. So <HOST> can’t be used. Apparently a python
What exactly do you want to achieve? As far as I know, Fail2ban is
unable to capture, or act on, anything other than a host.
For the sake of the discussion, I will assume that you would like to ban
users that fail too often, instead of banning hosts that fail too often.
Fail2ban can't do that in theory. Yet it can sort-of be done.
> regex should work but I can’t find the right syntax for fail2ban-regex
> to catch the log entries I’m after. I have no python experience so
> hopefully someone can help.
>
> Here’s a sample log entry:
> Dec 18 21:43:30 hostname application[26895]: {core} Login failed:
> ’someuser' (Remote IP: ‘xxx.xxx.xxx.xxx', X-Forwarded-For: ‘')
OK. Be careful, as {} characters have meaning for regular expressions.
First step is to capture the bad logins. I'm still not all that familiar
with how Fail2ban matches the beginning of the line, but this should be
fine at least for the end of the line:
\{core\} Login failed: ’(?P<host>\S+)'.*
Now, Fail2ban will think that these are hosts, that you thus capture. So
it will try to find out the IP. Thus you'll have to devise some mapping.
I suggest you use an IP range that you have no use for, such as
10.10.x.x, and create the mapping in /etc/hosts:
10.10.0.1 elisabeth
10.10.0.2 georges
10.10.0.3 edward
10.10.0.4 victoria
and do on…
(Of course, check that the "hosts:" line in /etc/nsswitch.conf begins
with "files")
Then you need a special action that will deal with the specifics of your
software. Let's assume that this software is for example sshd. SSH deals
with user denial using "DenyUsers", and thankfully sshd can be restarted
with no harm done to the existing connections. The action would thus
look like this:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts`
if grep -q '^DenyUsers' /etc/ssh/sshd_config; then
sed -r -i.old "s/^(DenyUsers.*)\$/\\1 $banned/"
/etc/ssh/sshd_config
else
echo "DenyUsers $banned" >>/etc/ssh/sshd_config
fi
actionunban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts`
sed -r -i.old "/^DenyUsers /s/ $banned( |\$)/\\1/g"
/etc/ssh/sshd_config
sed '/^DenyUsers *$/d' /etc/ssh/sshd_config
[Init]
Minus the comments, this is more or less the action file. You may want
to introduce parameters, for example the path of the file to change.
This depends on the software and how it manages its users, though.
>
> I’ve tried the following in my filter without success:
> {core} Login failed: ‘(?P<host>\S+)’
>
> Any advise for this python rookie?
>
> Thanks in advance.
Good luck!
Yves.
http://yalis.fr/
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
