Hi, I´m trying to write a custom jail + filter to configure fail2ban to handle failed SSH logins on my Synology NAS (the chinese seem to be after my photo collection ;).
I think something might be wrong with the custom filter I wrote for that. Help would be appreciated! # What I´m trying to catch Synology decided to change the default behaviour for SSH logging (/var/log/auth.log) and also uses a custom logging format. Synology logs to: /var/log/synolog/synocopy.log A failed SSH login attempt looks like this: warning 2015/02/01 14:43:19 SYSTEM: User [doof] from [103.41.124.52] failed to log in via [SSH] due to authorization failure. # fail2ban custom jail I setup fail2ban 0.9.1 on the Synology NAS as described on github. My jail.local looks like this (changed parts): action = %(action_mw)s [ssh-iptables-syno] enabled = true logpath = /var/log/synolog/synoconn.log # fail2ban custom filter I have created ./filter.d/ssh-iptables-syno.conf and it looks like this: failregex = ^warning.\S+.\S+.SYSTEM:.User \S+ from \[\S+\] failed to log in via \[<HOST>\] due to authorization failure.$ This regex does match the Synology format when tested on https://regex101.com/ # fail2ban startup looks good >fail2ban-client reload produces this fail2ban.log output: 2015-02-01 15:34:13,083 fail2ban.server [608]: INFO Stopping all jails 2015-02-01 15:34:14,465 fail2ban.jail [608]: INFO Jail 'ssh-iptables-syno' stopped 2015-02-01 15:34:14,632 fail2ban.server [608]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1 2015-02-01 15:34:14,652 fail2ban.database [608]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2015-02-01 15:34:14,740 fail2ban.jail [608]: INFO Creating new jail 'ssh-iptables-syno' 2015-02-01 15:34:14,747 fail2ban.jail [608]: INFO Jail 'ssh-iptables-syno' uses poller 2015-02-01 15:34:14,771 fail2ban.filter [608]: INFO Set jail log file encoding to UTF-8 2015-02-01 15:34:14,773 fail2ban.jail [608]: INFO Initiated 'polling' backend 2015-02-01 15:34:14,955 fail2ban.filter [608]: INFO Added logfile = /var/log/synolog/synoconn.log 2015-02-01 15:34:14,974 fail2ban.filter [608]: INFO Set maxRetry = 2 2015-02-01 15:34:14,998 fail2ban.filter [608]: INFO Set jail log file encoding to UTF-8 2015-02-01 15:34:15,016 fail2ban.actions [608]: INFO Set banTime = 20 2015-02-01 15:34:15,039 fail2ban.filter [608]: INFO Set findtime = 200 2015-02-01 15:34:15,259 fail2ban.jail [608]: INFO Jail 'ssh-iptables-syno' started # fail2ban doesn´t recognize attempts f2b seems to recognize changes to the log file and does something but doesn´t process the IP. On failed login attempts the fail2ban.log (on DEBUG) has entries like this one: 2015-02-01 15:26:26,241 fail2ban.filterpoll [608]: DEBUG /var/log/synolog/synoconn.log has been modified 2015-02-01 15:26:26,244 fail2ban.datedetector [608]: DEBUG Matched time template Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)? 2015-02-01 15:26:26,246 fail2ban.datedetector [608]: DEBUG Got time 1422800785.000000 for "u'2015/02/01 15:26:25'" using template Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)? 2015-02-01 15:26:26,385 fail2ban.datedetector [608]: DEBUG Sorting the template list 2015-02-01 15:26:26,387 fail2ban.datedetector [608]: DEBUG Winning template: Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)? with 3829 hits 2015-02-01 15:26:28,401 fail2ban.filterpoll [608]: DEBUG /var/log/synolog/synoconn.log has been modified 2015-02-01 15:26:28,404 fail2ban.datedetector [608]: DEBUG Matched time template Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)? 2015-02-01 15:26:28,406 fail2ban.datedetector [608]: DEBUG Got time 1422800787.000000 for "u'2015/02/01 15:26:27'" using template Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)? 2015-02-01 15:26:28,543 fail2ban.datedetector [608]: DEBUG Sorting the template list 2015-02-01 15:26:28,544 fail2ban.datedetector [608]: DEBUG Winning template: Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)? with 3830 hits # Jail status For the sake of completness: > fail2ban-client status ssh-iptables-syno Status for the jail: ssh-iptables-syno |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/synolog/synoconn.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: Any idea anyone? --- Sebastian Patiño-Lang, B.Sc. | Rheinstraße 43 | 76185 Karlsruhe | | +49 172 894 13 17 | [email protected] | | http://sebastian.patino.de | ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
