Hi. On my fresh FreeBSD 10.2-RELEASE box with fail2ban 0.9.2 I can't get the complain or xarf-login-attack action to work. I'd like to have a copy of the complaint, so I modified the action accordingly (see attached).
As far as I can see, fail2ban claims a syntax error on the line
getting the abuse contact addresses, but I can't see where and why.
Maybe anyone has seen this before? Or, are there any ideas? Let me
know if you need more information ...
In jail.local, I call the action like this:
----
[DEFAULT]
sender=******@******.de
destemail=******@******.de
banaction = bsd-ipfw
complainaction = xarf-login-attack
findtime = 1200
bantime = 2592000
maxretry = 3
# default action
action = %(action_mwl)s
action_mwlc = %(banaction)s[name=%(__name__)s]
%(mta)s-whois-lines[name=%(__name__)s,
dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
%(complainaction)s[service=%(__name__)s,
logpath=%(logpath)s, port="%(port)s", sender="%(sender)s",
bccmail="%(destemail)s"]
action_mwl = %(banaction)s[name=%(__name__)s]
%(mta)s-whois-lines[name=%(__name__)s,
dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
#
# JAILS
#
[sshd]
enabled = true
action = %(action_mwlc)s
----
>From the fail2ban debug log:
2015-08-25 21:59:19,825 fail2ban.actions [33335]: NOTICE
[sshd] Ban 104.168.56.186
2015-08-25 21:59:20,652 fail2ban.action [33335]: ERROR
oifs=${IFS}; IFS=.;SEP_IP=( 104.168.56.186 ); set -- ${SEP_IP};
ADDRESSES=$(dig +short -t txt
-q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
IP=104.168.56.186
FROM=******@******.de
SERVICE=sshd
FAILURES=3
REPORTID=1440532759.83@`uname -n`
TLP=green
PORT=ssh
DATE=`LC_TIME=C date [email protected] +"%a, %d %h %Y %T %z"`
if [ ! -z "$ADDRESSES" ]; then
(printf -- %b "Subject: abuse report about $IP -
$DATEnAuto-Submitted: auto-generatednX-XARF:
PLAINnContent-Transfer-Encoding: 7bitnContent-Type: multipar
t/mixed; charset=utf8;n
boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;nn--Abuse-bfbb0f920793ac03cb8634bde14d8a1enMIME-Version:
1.0nContent-Transfer-En
coding: 7bitnContent-Type: text/plain; charset=utf-8;nnDear
Sir/Madam,nnWe have detected abuse from the IP address $IP, which
according to abusix.com is
on your network. We would appreciate if you would investigate and
take action as appropriate.nnLog lines are given below, but please
ask if you require any
further information.nn(If you are not the correct person to contact
about this please accept our apologies - your e-mail address was
extracted from the whoi
s record by an automated process.)nn This mail was generated by
Fail2Ban in a X-ARF format! You can find more information about x-arf
at http://www.x-arf.or
g/specification.html.nnThe recipient address of this report was
provided by the Abuse Contact DB by abusix.com. abusix.com does not
maintain the content of
the database. All information which we pass out, derives from the RIR
databases and is processed for ease of use. If you want to change or
report non working
abuse contacts please contact the appropriate RIR. If you have any
further question, contact abusix.com directly via email
([email protected]). Information abou
t the Abuse Contact Database can be found here:
https://abusix.com/global-reporting/abuse-contact-dbnabusix.com is
neither responsible nor liable for the con
tent or accuracy of this
message.nn--Abuse-bfbb0f920793ac03cb8634bde14d8a1enMIME-Version:
1.0nContent-Transfer-Encoding: 7bitnContent-Type: text/plain; c
harset=utf-8; name="report.txt";nn---nReported-From: $FROMnCategory:
abusenReport-ID: $REPORTIDnReport-Type: login-attacknService:
$SERVICEnVersion:
0.2nUser-Agent: Fail2ban v0.9nDate: $DATEnSource-Type:
ip-addressnSource: $IPnPort: $PORTnSchema-URL:
http://www.x-arf.org/schema/abuse_login-attack_0.
1.2.jsonnAttachment: text/plainnOccurances: $FAILURESnTLP:
$TLPnnn--Abuse-bfbb0f920793ac03cb8634bde14d8a1enMIME-Version:
1.0nContent-Transfer-Encoding
: 7bitnContent-Type: text/plain; charset=utf8; name="logfile.log";n";
date '+Note: Local timezone is %z (%Z)';
printf -- %b "Aug 25 03:23:52 v22015082968727213 sshd[27782]: Invalid
user a from 104.168.56.186
Aug 25 03:24:10 v2201508296872**** sshd[27816]: Invalid user ubuntu
from 104.168.56.186
Aug 25 03:24:11 v2201508296872**** sshd[27818]: Invalid user ubuntu
from 104.168.56.186nnnn--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--") |
/usr/sbin/send
mail ${ADDRESSES//,/" "}
fi -- stdout: ''
2015-08-25 21:59:20,652 fail2ban.action [33335]: ERROR
oifs=${IFS}; IFS=.;SEP_IP=( 104.168.56.186 ); set -- ${SEP_IP};
ADDRESSES=$(dig +short -t txt
-q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
IP=104.168.56.186
FROM=******@******.de
SERVICE=sshd
FAILURES=3
REPORTID=1440532759.83@`uname -n`
TLP=green
PORT=ssh
DATE=`LC_TIME=C date [email protected] +"%a, %d %h %Y %T %z"`
if [ ! -z "$ADDRESSES" ]; then
(printf -- %b "Subject: abuse report about $IP -
$DATEnAuto-Submitted: auto-generatednX-XARF:
PLAINnContent-Transfer-Encoding: 7bitnContent-Type: multipart/mixed;
charset=utf8;n
boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;nn--Abuse-bfbb0f920793ac03cb8634bde14d8a1enMIME-Version:
1.0nContent-Transfer-Encoding: 7bitnContent-Type: text/plain;
charset=utf-8;nnDear Sir/Madam,nnWe have detected abuse from the IP
address $IP, which according to abusix.com is on your network. We
would appreciate if you would investigate and take action as
appropriate.nnLog lines are given below, but please ask if you require
any further information.nn(If you are not the correct person to
contact about this please accept our apologies - your e-mail address
was extracted from the whois record by an automated process.)nn This
mail was generated by Fail2Ban in a X-ARF format! You can find more
information about x-arf at
http://www.x-arf.org/specification.html.nnThe recipient address of
this report was provided by the Abuse Contact DB by abusix.com.
abusix.com does not maintain the content of the database. All
information which we pass out, derives from the RIR databases and is
processed for ease of use. If you want to change or report non
working abuse contacts please contact the appropriate RIR. If you have
any further question, contact abusix.com directly via email
([email protected]). Information about the Abuse Contact Database can be
found here:
https://abusix.com/global-reporting/abuse-contact-dbnabusix.com is
neither responsible nor liable for the content or accuracy of this
message.nn--Abuse-bfbb0f920793ac03cb8634bde14d8a1enMIME-Version:
1.0nContent-Transfer-Encoding: 7bitnContent-Type: text/plain;
charset=utf-8; name="report.txt";nn---nReported-From: $FROMnCategory:
abusenReport-ID: $REPORTIDnReport-Type: login-attacknService:
$SERVICEnVersion: 0.2nUser-Agent: Fail2ban v0.9nDate:
$DATEnSource-Type: ip-addressnSource: $IPnPort: $PORTnSchema-URL:
http://www.x-arf.org/schema/abuse_login-attack_0.1.2.jsonnAttachment:
text/plainnOccurances: $FAILURESnTLP:
$TLPnnn--Abuse-bfbb0f920793ac03cb8634bde14d8a1enMIME-Version:
1.0nContent-Transfer-Encoding: 7bitnContent-Type: text/plain;
charset=utf8; name="logfile.log";n";
date '+Note: Local timezone is %z (%Z)';
printf -- %b "Aug 25 03:23:52 v22015082968727213 sshd[27782]: Invalid
user a from 104.168.56.186
Aug 25 03:24:10 v2201508296872**** sshd[27816]: Invalid user ubuntu
from 104.168.56.186
Aug 25 03:24:11 v2201508296872**** sshd[27818]: Invalid user ubuntu
from 104.168.56.186nnnn--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--") |
/usr/sbin/sendmail ${ADDRESSES//,/" "}
fi -- stderr: 'Syntax error: word unexpected (expecting ")")n'
2015-08-25 21:59:20,652 fail2ban.action [33335]: ERROR
oifs=${IFS}; IFS=.;SEP_IP=( 104.168.56.186 ); set -- ${SEP_IP};
ADDRESSES=$(dig +short -t txt
-q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
IP=104.168.56.186
FROM=****@******.de
SERVICE=sshd
FAILURES=3
REPORTID=1440532759.83@`uname -n`
TLP=green
PORT=ssh
DATE=`LC_TIME=C date [email protected] +"%a, %d %h %Y %T %z"`
if [ ! -z "$ADDRESSES" ]; then
(printf -- %b "Subject: abuse report about $IP -
$DATEnAuto-Submitted: auto-generatednX-XARF:
PLAINnContent-Transfer-Encoding: 7bitnContent-Type: multipar
t/mixed; charset=utf8;n
boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;nn--Abuse-bfbb0f920793ac03cb8634bde14d8a1enMIME-Version:
1.0nContent-Transfer-En
coding: 7bitnContent-Type: text/plain; charset=utf-8;nnDear
Sir/Madam,nnWe have detected abuse from the IP address $IP, which
according to abusix.com is
on your network. We would appreciate if you would investigate and
take action as appropriate.nnLog lines are given below, but please
ask if you require any
further information.nn(If you are not the correct person to contact
about this please accept our apologies - your e-mail address was
extracted from the whoi
s record by an automated process.)nn This mail was generated by
Fail2Ban in a X-ARF format! You can find more information about x-arf
at http://www.x-arf.org/specification.html.nnThe recipient address of
this report was provided by the Abuse Contact DB by abusix.com.
abusix.com does not maintain the content of the database. All
information which we pass out, derives from the RIR databases and is
processed for ease of use. If you want to change or report non
working abuse contacts please contact the appropriate RIR. If you have
any further question, contact abusix.com directly via email
([email protected]). Information about the Abuse Contact Database can be
found here:
https://abusix.com/global-reporting/abuse-contact-dbnabusix.com is
neither responsible nor liable for the content or accuracy of this
message.nn--Abuse-bfbb0f920793ac03cb8634bde14d8a1enMIME-Version:
1.0nContent-Transfer-Encoding: 7bitnContent-Type: text/plain;
charset=utf-8; name="report.txt";nn---nReported-From: $FROMnCategory:
abusenReport-ID: $REPORTIDnReport-Type: login-attacknService:
$SERVICEnVersion: 0.2nUser-Agent: Fail2ban v0.9nDate:
$DATEnSource-Type: ip-addressnSource: $IPnPort: $PORTnSchema-URL:
http://www.x-arf.org/schema/abuse_login-attack_0.1.2.jsonnAttachment:
text/plainnOccurances: $FAILURESnTLP:
$TLPnnn--Abuse-bfbb0f920793ac03cb8634bde14d8a1enMIME-Version:
1.0nContent-Transfer-Encoding: 7bitnContent-Type: text/plain;
charset=utf8; name="logfile.log";n";
date '+Note: Local timezone is %z (%Z)';
printf -- %b "Aug 25 03:23:52 v22015082968727213 sshd[27782]: Invalid
user a from 104.168.56.186
Aug 25 03:24:10 v2201508296872**** sshd[27816]: Invalid user ubuntu
from 104.168.56.186
Aug 25 03:24:11 v2201508296872**** sshd[27818]: Invalid user ubuntu
from 104.168.56.186nnnn--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--") |
/usr/sbin/sendmail ${ADDRESSES//,/" "}
fi -- returned 2
Thanks for your time,
w6g
xarf-login-attack.conf
Description: Binary data
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
