Hi Yves,
We have a fairly large and complex network. There are 3 routes into our network
where remote connections have their IP changed by source natting. So the real
remote IP is only known to the devices doing the natting. But the traffic is
encrypted at that stage so they can’t alter it. SSL is handled at the load
balancer so that’s the first opportunity to alter things but the real remote IP
is already lost. As far as the load balancer is concerned the firewall
initiated the request (because it kind of did).
But with a tiny patch to filter.py I think I’ve got a workable solution. I
changed dnsutils.texttoip to return the text if usedns is set to no. So my jail
sets it to no and my filter is able to capture the username with <HOST>. I have
an action that uses iptables string matching looking for the authorization:
basic header. I’m using base64 to encode the username supplied by the filter
but removing trailing equals signs and an additional trailing char. The
resulting string always matches the first portion of the username:password
string encoded with base64.
I’ve only done basic testing at this stage on a dev system but so far so good.
If it works out I’ll submit my little patch as a feature request. It’s probably
not the best way to achieve this result. There’s probably a more appropriate
place to force the return of the captured text even if it’s not a resolvable
hostname or IP address. But for the purposes of testing that the action does
what I expect under real conditions the patch will do for now.
Thanks again for taking the time to help. Your comments helped guide me in
learning what I needed to know about how fail2ban works.
Regards,
Stephen
--- This email is made from 100% recycled electrons ---
On Dec 22, 2014, at 3:54, Yves <[email protected]> wrote:
> Hi Stephen,
>
> Le 2014-12-19 15:54, Stephen colebrook a écrit :
>> Hi Yves,
>> Thanks for your help with the regex. If I add a username to the hosts
>> file fail2ban-regex works.
>> I'm trying to ban on username because I can't ban on IP address for
>> connections coming into our network from certain gateways that are
>> using source NAT. The firewall doing the natting can't modify the
>> X-Forwarded-For http header because the traffic is encrypted at that
>> point. But once things move past that firewall the real remote IP is
>> lost. The load balancer only sees the IP of the firewall as the remote
>> IP, and I can't ban the firewall or I'll cut off a large section of
>> users.
> Can't you configure your middleware (firewall/load balancer/whatever…) to
> transparently forward the IP? This can be done either with iptables rules if
> the software allows it, or with the "proxy-protocol". See here for some
> information:
> http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
> http://yalis.fr/cms/index.php/post/2014/09/12/The-do-it-all-port-443%E2%80%A6
>
>> I also can't add each user to /etc/hosts. This system uses AD for
>> authentication and there will be approximately 3500 users accessing it
>> daily. While putting everyone in /etc/hosts is technically possible,
>> it would be a horribly difficult solution to maintain.
> Not necessarily: provided your AD does not change too often, and you're
> willing to accept a 24-hour-max delay in updating the hosts file whenever the
> AD does change, a nightly cron job to flush and replace the user list in
> /etc/hosts based on the AD would do the trick.
>
> Of course, it is also possible to tweak my solution to rely on the AD instead
> of the hosts file, but I can see how this would be questionable: you probably
> shouldn't mix real domains and fake domains (users actually) in the AD.
>
>> Is there no way to prevent fail2ban from trying to resolve hostnames
> I don't know of any way, but I'm new to fail2ban, and I don't know all of its
> features. Then, you may also tweak the source code ;-)
>
>> and just pass the string in the regex to the action? Setting usedns to
>> no will just cause it to skip hostnames. I was hoping to write an
>> action that would read the http authentication headers to match the
>> user name. I do that for banning based on the content of the
>> X-Forwarded-For header so I can ban a remote IP instead of the load
>> balancer.
>> Stephen
>> On 12/19/2014 8:45 AM, Yves wrote:
>>> Hi,
>>> That's a tricky question…
>>> Le 2014-12-19 13:55, Stephen Colebrook a écrit :
>>>> Hi,
>>>> I’m trying to write a filter to capture a username from log entries
>>>> instead of an IP address. So <HOST> can’t be used. Apparently a python
>>> What exactly do you want to achieve? As far as I know, Fail2ban is
>>> unable to capture, or act on, anything other than a host.
>>> For the sake of the discussion, I will assume that you would like to ban
>>> users that fail too often, instead of banning hosts that fail too often.
>>> Fail2ban can't do that in theory. Yet it can sort-of be done.
>>>> regex should work but I can’t find the right syntax for fail2ban-regex
>>>> to catch the log entries I’m after. I have no python experience so
>>>> hopefully someone can help.
>>>> Here’s a sample log entry:
>>>> Dec 18 21:43:30 hostname application[26895]: {core} Login failed:
>>>> ’someuser' (Remote IP: ‘xxx.xxx.xxx.xxx', X-Forwarded-For: ‘')
>>> OK. Be careful, as {} characters have meaning for regular expressions.
>>> First step is to capture the bad logins. I'm still not all that familiar
>>> with how Fail2ban matches the beginning of the line, but this should be
>>> fine at least for the end of the line:
>>> \{core\} Login failed: ’(?P<host>\S+)'.*
>>> Now, Fail2ban will think that these are hosts, that you thus capture.
>>> So it will try to find out the IP. Thus you'll have to devise some
>>> mapping. I suggest you use an IP range that you have no use for, such as
>>> 10.10.x.x, and create the mapping in /etc/hosts:
>>> 10.10.0.1 elisabeth
>>> 10.10.0.2 georges
>>> 10.10.0.3 edward
>>> 10.10.0.4 victoria
>>> and do on…
>>> (Of course, check that the "hosts:" line in /etc/nsswitch.conf begins
>>> with "files")
>>> Then you need a special action that will deal with the specifics of your
>>> software. Let's assume that this software is for example sshd. SSH deals
>>> with user denial using "DenyUsers", and thankfully sshd can be restarted
>>> with no harm done to the existing connections. The action would thus look
>>> like this:
>>> [Definition]
>>> actionstart =
>>> actionstop =
>>> actioncheck =
>>> actionban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts`
>>> if grep -q '^DenyUsers' /etc/ssh/sshd_config; then
>>> sed -r -i.old "s/^(DenyUsers.*)\$/\\1 $banned/" \
>>> /etc/ssh/sshd_config
>>> else
>>> echo "DenyUsers $banned" >>/etc/ssh/sshd_config
>>> fi
>>> *** RESTART ***
>>> actionunban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts`
>>> sed -r -i.old "/^DenyUsers /s/ $banned( |\$)/\\1/g" \
>>> /etc/ssh/sshd_config
>>> sed '/^DenyUsers *$/d' /etc/ssh/sshd_config
>>> *** RESTART ***
>>> [Init]
>>> In this example I gave, both actionban and actionunban must restart
>>> sshd to take into account the change in the configuration, exactly at
>>> the place where I wrote "*** RESTART ***".
>>> The command to use depends on your distribution; most common commands
>>> are:
>>> systemctl restart sshd.service
>>> /etc/init.d/sshd restart
>>> service sshd restart
>>> …
>>> Minus the comments, this is more or less the action file. You may
>>> want to introduce parameters, for example the path of the file to
>>> change. This depends on the software and how it manages its users,
>>> though.
>>>> I’ve tried the following in my filter without success:
>>>> {core} Login failed: ‘(?P<host>\S+)’
>>>> Any advise for this python rookie?
>>>> Thanks in advance.
>>> Good luck!
>>> Yves.
>>> http://yalis.fr/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
