Re: [Fail2ban-users] error with actions complain and/or xarf-login-attack, presumably on the action part getting the abuse address

w6g Fri, 28 Aug 2015 11:22:04 -0700

On 26.8.2015 at 9:06 PM, [email protected] wrote:
>On  my fresh FreeBSD 10.2-RELEASE box with fail2ban 0.9.2 I can't  get
>the  complain or xarf-login-attack action to work.


I've tried to narrow it down a bit and in order to do so, send the value of the 
ADDRESSES variable to me.

I've created an action "sendmail-abusecontactinfo":
------
[INCLUDES]

before = sendmail-common.conf

[Definition]

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = oifs=${IFS}; IFS=.; SEP_IP=( <ip> ); set -- ${SEP_IP}; 
ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); 
IFS=${oifs}
            printf %%b "Subject: [Fail2Ban] <name>: abuse contact info for <ip>
            Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            The IP <ip> has the following abuse contacts according to 
abusix.org:\n
            ${ADDRESSES//,/\" \"/}\n\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

[Init]

# Default name of the chain
#
name = default
------

The fail2ban log still says,

2015-08-28 20:00:24,321 fail2ban.action         [64959]: ERROR   oifs=${IFS}; 
IFS=.; SEP_IP=( 93.174.95.81 ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt 
-q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
printf %b "Subject: [Fail2Ban] sshd: abuse contact info for 93.174.95.81
Date: `LC_TIME=C date +"%a, %d %h %Y %T %z"`
From: Fail2Ban <******@******.de>
To: ******@******.de\n
The IP 93.174.95.81 has the following abuse contacts according to abusix.org:\n
${ADDRESSES//,/\" \"/}\n\n
Fail2Ban" | /usr/sbin/sendmail -f ******@******.de ******@******.de -- stderr: 
'Syntax error: word unexpected (expecting ")")\n'
2015-08-28 20:00:24,322 fail2ban.action         [64959]: ERROR   oifs=${IFS}; 
IFS=.; SEP_IP=( 93.174.95.81 ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt 
-q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
printf %b "Subject: [Fail2Ban] sshd: abuse contact info for 93.174.95.81
Date: `LC_TIME=C date +"%a, %d %h %Y %T %z"`
From: Fail2Ban <[email protected]>
To: ******@******.de\n
The IP 93.174.95.81 has the following abuse contacts according to abusix.org:\n
${ADDRESSES//,/\" \"/}\n\n
Fail2Ban" | /usr/sbin/sendmail -f ******@******.de ******@******.de -- returned 
2
2015-08-28 20:00:24,322 fail2ban.actions        [64959]: ERROR   Failed to 
execute ban jail 'sshd' action 'sendmail-abusecontactinfo' info 
'CallingMap({'ipjailmatches': <function <lambda> at 0x807ac08c0>, 'matches': 
'Aug 22 23:32:35 v2201508296872**** sshd[91396]: Invalid user admin from 
93.174.95.81\nAug 22 23:32:35 v22015082968727213 sshd[91398]: Invalid user test 
from 93.174.95.81\nAug 22 23:32:35 v22015082968727213 sshd[91400]: Invalid user 
guest from 93.174.95.81', 'ip': '93.174.95.81', 'ipmatches': <function <lambda> 
at 0x807ac0938>, 'ipfailures': <function <lambda> at 0x807ac0a28>, 'time': 
1440784823.599603, 'failures': 3, 'ipjailfailures': <function <lambda> at 
0x807ac09b0>})': Error banning 93.174.95.81
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/fail2ban/server/actions.py", 
line 316, in __checkBan
    action.ban(aInfo.copy())
  File "/usr/local/lib/python2.7/site-packages/fail2ban/server/action.py", line 
298, in ban
    raise RuntimeError("Error banning %(ip)s" % aInfo)
RuntimeError: Error banning 93.174.95.81

If I execute the commands

printf %b "Subject: [Fail2Ban] sshd: abuse contact info for 93.174.95.81
Date: `LC_TIME=C date +"%a, %d %h %Y %T %z"`
From: Fail2Ban <******@******.de>
To: ******@******.de\n
The IP 93.174.95.81 has the following abuse contacts according to abusix.org:\n
${ADDRESSES//,/\" \"/}\n\n

and

printf %b "Subject: [Fail2Ban] sshd: abuse contact info for 93.174.95.81
Date: `LC_TIME=C date +"%a, %d %h %Y %T %z"`
From: Fail2Ban <******@******.de>
To: ******@******.de\n
The IP 93.174.95.81 has the following abuse contacts according to abusix.org:\n
${ADDRESSES//,/\" \"/}\n\n" | /usr/sbin/sendmail -f ******@******.de 
******@******.de

in a shell, they both run without errors, and on the second one, I do receive 
the e-mail I am expecting.

What could be the matter?

I see that the command line querying abusix.org only works when executed in a 
bash shell. The sh and csh don't seem to know the ${VAR///} replacement 
pattern. I already set bash the login shell for the root account which is (as 
far as I can see) executing the fail2ban service.

Any ideas?

Again, thanks for your time reading this far,
w6g


------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] error with actions complain and/or xarf-login-attack, presumably on the action part getting the abuse address

Reply via email to