Hi Stephen,
Le 2014-12-19 15:54, Stephen colebrook a écrit :
> Hi Yves,
>
> Thanks for your help with the regex. If I add a username to the hosts
> file fail2ban-regex works.
>
> I'm trying to ban on username because I can't ban on IP address for
> connections coming into our network from certain gateways that are
> using source NAT. The firewall doing the natting can't modify the
> X-Forwarded-For http header because the traffic is encrypted at that
> point. But once things move past that firewall the real remote IP is
> lost. The load balancer only sees the IP of the firewall as the remote
> IP, and I can't ban the firewall or I'll cut off a large section of
> users.
Can't you configure your middleware (firewall/load balancer/whatever…)
to transparently forward the IP? This can be done either with iptables
rules if the software allows it, or with the "proxy-protocol". See here
for some information:
http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
http://yalis.fr/cms/index.php/post/2014/09/12/The-do-it-all-port-443%E2%80%A6
> I also can't add each user to /etc/hosts. This system uses AD for
> authentication and there will be approximately 3500 users accessing it
> daily. While putting everyone in /etc/hosts is technically possible,
> it would be a horribly difficult solution to maintain.
Not necessarily: provided your AD does not change too often, and you're
willing to accept a 24-hour-max delay in updating the hosts file
whenever the AD does change, a nightly cron job to flush and replace the
user list in /etc/hosts based on the AD would do the trick.
Of course, it is also possible to tweak my solution to rely on the AD
instead of the hosts file, but I can see how this would be questionable:
you probably shouldn't mix real domains and fake domains (users
actually) in the AD.
> Is there no way to prevent fail2ban from trying to resolve hostnames
I don't know of any way, but I'm new to fail2ban, and I don't know all
of its features. Then, you may also tweak the source code ;-)
> and just pass the string in the regex to the action? Setting usedns to
> no will just cause it to skip hostnames. I was hoping to write an
> action that would read the http authentication headers to match the
> user name. I do that for banning based on the content of the
> X-Forwarded-For header so I can ban a remote IP instead of the load
> balancer.
>
> Stephen
>
> On 12/19/2014 8:45 AM, Yves wrote:
>> Hi,
>> That's a tricky question…
>>
>> Le 2014-12-19 13:55, Stephen Colebrook a écrit :
>>> Hi,
>>>
>>> I’m trying to write a filter to capture a username from log entries
>>> instead of an IP address. So <HOST> can’t be used. Apparently a
>>> python
>>
>> What exactly do you want to achieve? As far as I know, Fail2ban is
>> unable to capture, or act on, anything other than a host.
>> For the sake of the discussion, I will assume that you would like to
>> ban
>> users that fail too often, instead of banning hosts that fail too
>> often.
>> Fail2ban can't do that in theory. Yet it can sort-of be done.
>>
>>> regex should work but I can’t find the right syntax for
>>> fail2ban-regex
>>> to catch the log entries I’m after. I have no python experience so
>>> hopefully someone can help.
>>>
>>> Here’s a sample log entry:
>>> Dec 18 21:43:30 hostname application[26895]: {core} Login failed:
>>> ’someuser' (Remote IP: ‘xxx.xxx.xxx.xxx', X-Forwarded-For: ‘')
>>
>> OK. Be careful, as {} characters have meaning for regular expressions.
>> First step is to capture the bad logins. I'm still not all that
>> familiar
>> with how Fail2ban matches the beginning of the line, but this should
>> be
>> fine at least for the end of the line:
>> \{core\} Login failed: ’(?P<host>\S+)'.*
>>
>> Now, Fail2ban will think that these are hosts, that you thus capture.
>> So it will try to find out the IP. Thus you'll have to devise some
>> mapping. I suggest you use an IP range that you have no use for, such
>> as
>> 10.10.x.x, and create the mapping in /etc/hosts:
>> 10.10.0.1 elisabeth
>> 10.10.0.2 georges
>> 10.10.0.3 edward
>> 10.10.0.4 victoria
>> and do on…
>> (Of course, check that the "hosts:" line in /etc/nsswitch.conf begins
>> with "files")
>>
>> Then you need a special action that will deal with the specifics of
>> your
>> software. Let's assume that this software is for example sshd. SSH
>> deals
>> with user denial using "DenyUsers", and thankfully sshd can be
>> restarted
>> with no harm done to the existing connections. The action would thus
>> look
>> like this:
>>
>> [Definition]
>> actionstart =
>> actionstop =
>> actioncheck =
>> actionban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts`
>> if grep -q '^DenyUsers' /etc/ssh/sshd_config; then
>> sed -r -i.old "s/^(DenyUsers.*)\$/\\1 $banned/" \
>> /etc/ssh/sshd_config
>> else
>> echo "DenyUsers $banned" >>/etc/ssh/sshd_config
>> fi
>> *** RESTART ***
>> actionunban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts`
>> sed -r -i.old "/^DenyUsers /s/ $banned( |\$)/\\1/g" \
>> /etc/ssh/sshd_config
>> sed '/^DenyUsers *$/d' /etc/ssh/sshd_config
>> *** RESTART ***
>> [Init]
>>
>> In this example I gave, both actionban and actionunban must restart
>> sshd to take into account the change in the configuration, exactly at
>> the place where I wrote "*** RESTART ***".
>> The command to use depends on your distribution; most common commands
>> are:
>> systemctl restart sshd.service
>> /etc/init.d/sshd restart
>> service sshd restart
>> …
>> Minus the comments, this is more or less the action file. You may
>> want to introduce parameters, for example the path of the file to
>> change. This depends on the software and how it manages its users,
>> though.
>>
>>>
>>> I’ve tried the following in my filter without success:
>>> {core} Login failed: ‘(?P<host>\S+)’
>>>
>>> Any advise for this python rookie?
>>>
>>> Thanks in advance.
>>
>> Good luck!
>>
>> Yves.
>> http://yalis.fr/
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
