HI again, I figured it out. The regex was wrong. Fixed it with
failregex = ^.*from \[<HOST>\] failed.* BUT now fail2ban seems to have problems with configuring iptables on the Synology NAS. Here is the relevant fail2ban.log: http://pastebin.com/TvTG3c7W first ERROR comes here: 2015-02-01 17:22:52,394 fail2ban.jail [30576]: INFO Jail 'ssh-iptables-syno' started 2015-02-01 17:22:53,287 fail2ban.actions [30576]: NOTICE [ssh-iptables-syno] Ban 103.41.124.52 2015-02-01 17:22:53,613 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 103.41.124.52 -j REJECT --reject-with icmp-port-unreachable -- stdout: '' Any ideas on that? --- Sebastian Patiño-Lang, B.Sc. | Rheinstraße 43 | 76185 Karlsruhe | | +49 172 894 13 17 | [email protected] | | http://sebastian.patino.de | On Sun, Feb 1, 2015 at 3:48 PM, Sebastian Patiño-Lang <[email protected]> wrote: > Hi, > > I´m trying to write a custom jail + filter to configure fail2ban to > handle failed SSH logins on my Synology NAS (the chinese seem to be > after my photo collection ;). > > I think something might be wrong with the custom filter I wrote for > that. Help would be appreciated! > > # What I´m trying to catch > > Synology decided to change the default behaviour for SSH logging > (/var/log/auth.log) and also uses a custom logging format. > > Synology logs to: > /var/log/synolog/synocopy.log > > A failed SSH login attempt looks like this: > warning 2015/02/01 14:43:19 SYSTEM: User [doof] from [103.41.124.52] > failed to log in via [SSH] due to authorization failure. > > # fail2ban custom jail > > I setup fail2ban 0.9.1 on the Synology NAS as described on github. My > jail.local looks like this (changed parts): > > action = %(action_mw)s > [ssh-iptables-syno] > enabled = true > logpath = /var/log/synolog/synoconn.log > > # fail2ban custom filter > > I have created ./filter.d/ssh-iptables-syno.conf and it looks like this: > > failregex = ^warning.\S+.\S+.SYSTEM:.User \S+ from \[\S+\] failed to > log in via \[<HOST>\] due to authorization failure.$ > > This regex does match the Synology format when tested on https://regex101.com/ > > # fail2ban startup looks good > >>fail2ban-client reload produces this fail2ban.log output: > > 2015-02-01 15:34:13,083 fail2ban.server [608]: INFO > Stopping all jails > 2015-02-01 15:34:14,465 fail2ban.jail [608]: INFO Jail > 'ssh-iptables-syno' stopped > 2015-02-01 15:34:14,632 fail2ban.server [608]: INFO Changed > logging target to /var/log/fail2ban.log for Fail2ban v0.9.1 > 2015-02-01 15:34:14,652 fail2ban.database [608]: INFO > Connected to fail2ban persistent database > '/var/lib/fail2ban/fail2ban.sqlite3' > 2015-02-01 15:34:14,740 fail2ban.jail [608]: INFO > Creating new jail 'ssh-iptables-syno' > 2015-02-01 15:34:14,747 fail2ban.jail [608]: INFO Jail > 'ssh-iptables-syno' uses poller > 2015-02-01 15:34:14,771 fail2ban.filter [608]: INFO Set > jail log file encoding to UTF-8 > 2015-02-01 15:34:14,773 fail2ban.jail [608]: INFO > Initiated 'polling' backend > 2015-02-01 15:34:14,955 fail2ban.filter [608]: INFO Added > logfile = /var/log/synolog/synoconn.log > 2015-02-01 15:34:14,974 fail2ban.filter [608]: INFO Set maxRetry = > 2 > 2015-02-01 15:34:14,998 fail2ban.filter [608]: INFO Set > jail log file encoding to UTF-8 > 2015-02-01 15:34:15,016 fail2ban.actions [608]: INFO Set banTime = > 20 > 2015-02-01 15:34:15,039 fail2ban.filter [608]: INFO Set > findtime = 200 > 2015-02-01 15:34:15,259 fail2ban.jail [608]: INFO Jail > 'ssh-iptables-syno' started > > # fail2ban doesn´t recognize attempts > > f2b seems to recognize changes to the log file and does something but > doesn´t process the IP. On failed login attempts the fail2ban.log (on > DEBUG) has entries like this one: > > 2015-02-01 15:26:26,241 fail2ban.filterpoll [608]: DEBUG > /var/log/synolog/synoconn.log has been modified > 2015-02-01 15:26:26,244 fail2ban.datedetector [608]: DEBUG Matched > time template Year(?P<_sep>[-/.])Month(?P=_sep)Day > 24hour:Minute:Second(?:,Microseconds)? > 2015-02-01 15:26:26,246 fail2ban.datedetector [608]: DEBUG Got > time 1422800785.000000 for "u'2015/02/01 15:26:25'" using template > Year(?P<_sep>[-/.])Month(?P=_sep)Day > 24hour:Minute:Second(?:,Microseconds)? > 2015-02-01 15:26:26,385 fail2ban.datedetector [608]: DEBUG Sorting > the template list > 2015-02-01 15:26:26,387 fail2ban.datedetector [608]: DEBUG Winning > template: Year(?P<_sep>[-/.])Month(?P=_sep)Day > 24hour:Minute:Second(?:,Microseconds)? with 3829 hits > 2015-02-01 15:26:28,401 fail2ban.filterpoll [608]: DEBUG > /var/log/synolog/synoconn.log has been modified > 2015-02-01 15:26:28,404 fail2ban.datedetector [608]: DEBUG Matched > time template Year(?P<_sep>[-/.])Month(?P=_sep)Day > 24hour:Minute:Second(?:,Microseconds)? > 2015-02-01 15:26:28,406 fail2ban.datedetector [608]: DEBUG Got > time 1422800787.000000 for "u'2015/02/01 15:26:27'" using template > Year(?P<_sep>[-/.])Month(?P=_sep)Day > 24hour:Minute:Second(?:,Microseconds)? > 2015-02-01 15:26:28,543 fail2ban.datedetector [608]: DEBUG Sorting > the template list > 2015-02-01 15:26:28,544 fail2ban.datedetector [608]: DEBUG Winning > template: Year(?P<_sep>[-/.])Month(?P=_sep)Day > 24hour:Minute:Second(?:,Microseconds)? with 3830 hits > > # Jail status > > For the sake of completness: > >> fail2ban-client status ssh-iptables-syno > Status for the jail: ssh-iptables-syno > |- Filter > | |- Currently failed: 0 > | |- Total failed: 0 > | `- File list: /var/log/synolog/synoconn.log > `- Actions > |- Currently banned: 0 > |- Total banned: 0 > `- Banned IP list: > > Any idea anyone? > > --- > > Sebastian Patiño-Lang, B.Sc. > > | Rheinstraße 43 | 76185 Karlsruhe | > | +49 172 894 13 17 | [email protected] | > > | http://sebastian.patino.de | ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
