Oops, silly me, I forgot to restart sshd in my example!
See below…
Le 2014-12-19 14:45, Yves a écrit :
> Hi,
> That's a tricky question…
>
> Le 2014-12-19 13:55, Stephen Colebrook a écrit :
>> Hi,
>>
>> I’m trying to write a filter to capture a username from log entries
>> instead of an IP address. So <HOST> can’t be used. Apparently a python
>
> What exactly do you want to achieve? As far as I know, Fail2ban is
> unable to capture, or act on, anything other than a host.
> For the sake of the discussion, I will assume that you would like to
> ban
> users that fail too often, instead of banning hosts that fail too
> often.
> Fail2ban can't do that in theory. Yet it can sort-of be done.
>
>> regex should work but I can’t find the right syntax for fail2ban-regex
>> to catch the log entries I’m after. I have no python experience so
>> hopefully someone can help.
>>
>> Here’s a sample log entry:
>> Dec 18 21:43:30 hostname application[26895]: {core} Login failed:
>> ’someuser' (Remote IP: ‘xxx.xxx.xxx.xxx', X-Forwarded-For: ‘')
>
> OK. Be careful, as {} characters have meaning for regular expressions.
> First step is to capture the bad logins. I'm still not all that
> familiar
> with how Fail2ban matches the beginning of the line, but this should be
> fine at least for the end of the line:
> \{core\} Login failed: ’(?P<host>\S+)'.*
>
> Now, Fail2ban will think that these are hosts, that you thus capture.
> So
> it will try to find out the IP. Thus you'll have to devise some
> mapping.
> I suggest you use an IP range that you have no use for, such as
> 10.10.x.x, and create the mapping in /etc/hosts:
> 10.10.0.1 elisabeth
> 10.10.0.2 georges
> 10.10.0.3 edward
> 10.10.0.4 victoria
> and do on…
> (Of course, check that the "hosts:" line in /etc/nsswitch.conf begins
> with "files")
>
> Then you need a special action that will deal with the specifics of
> your
> software. Let's assume that this software is for example sshd. SSH
> deals
> with user denial using "DenyUsers", and thankfully sshd can be
> restarted
> with no harm done to the existing connections. The action would thus
> look like this:
>
> [Definition]
> actionstart =
> actionstop =
> actioncheck =
> actionban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts`
> if grep -q '^DenyUsers' /etc/ssh/sshd_config; then
> sed -r -i.old "s/^(DenyUsers.*)\$/\\1 $banned/" \
> /etc/ssh/sshd_config
> else
> echo "DenyUsers $banned" >>/etc/ssh/sshd_config
> fi
> *** HERE ***
> actionunban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts`
> sed -r -i.old "/^DenyUsers /s/ $banned( |\$)/\\1/g" \
> /etc/ssh/sshd_config
> sed '/^DenyUsers *$/d' /etc/ssh/sshd_config
> *** HERE ***
> [Init]
In this example I gave, both actionban and actionunban must restart sshd
to take into account the change in the configuration, exactly at the
place where I wrote "*** HERE ***".
The command to use depends on your distribution; most common commands
are:
systemctl restart sshd.service
/etc/init.d/sshd restart
service sshd restart
…
> Minus the comments, this is more or less the action file. You may want
> to introduce parameters, for example the path of the file to change.
> This depends on the software and how it manages its users, though.
>
>>
>> I’ve tried the following in my filter without success:
>> {core} Login failed: ‘(?P<host>\S+)’
>>
>> Any advise for this python rookie?
>>
>> Thanks in advance.
>
> Good luck!
>
> Yves.
> http://yalis.fr/
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
