I’ll continue my monologue :) I need an appropriate log filter to match this line type for sshd:
YYYY-MM-DD HH:MM:SS:XXXXXX+GMT hostname sshd[<process_id>]: error: PAM: authentication error for <username> XXX.XXX.XXX.XXX Example: 2018-02-07 22:03:44.009330+0200 localhost sshd[1348]: error: PAM: authentication error for testuser from 192.168.168.2 So, I’m looking to match ’sshd’ followed by 'error: PAM: authentication error' And this for Webmin: XXX.XXX.XXX.XXX - - [DD/MMM/YYYY:HH:MM:SS +GMT ”POST /session_login.cgi HTTP/X.X” 401 <id> Example: 192.168.168.2 - - [04/Feb/2018:23:01:52 +0200] "POST /session_login.cgi HTTP/1.1" 401 2333 So, here I need to match 'POST /session_login.cgi HTTP’ followed by ’401' Can anyone help me figure out the proper log filter formatting for these? > On 6 Feb 2018, at 22:01, Palvelin Postmaster via Fail2ban-users > <fail2ban-users@lists.sourceforge.net> wrote: > > The webmin-auth log filter is: > > ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$ > ^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$ > > Sshd log filter: > > ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* > from <HOST>( via \S+)?\s*$ > ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying > authentication module for .* from <HOST>\s*$ > ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: > (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user > ".*", client host ".*")?))?\s*$ > ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ > ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ > ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in > AllowUsers\s*$ > ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in > DenyUsers\s*$ > ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$ > ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ > ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$ > ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed > in DenyGroups\s*$ > ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's > groups are listed in AllowGroups\s*$ > ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is > locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: > 11: .+ \[preauth\]$ > ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication > failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection > closed by <HOST> \[preauth\]$ > ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ > port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication > failures for .+? \[preauth\]$ > ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication > failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$ > > > > >> On 5 Feb 2018, at 20:34, Bill Shirley <bshir...@openmri-scottsboro.com> >> wrote: >> >> You should post your jail and filter. fail2ban's filters change from >> release to release >> to accommodate changes in the underlying log file (i.e. apache 2.2 vs apache >> 2.4). >> >> Bill >> >> On 2/5/2018 9:55 AM, Palvelin Postmaster via Fail2ban-users wrote: >>> Hi, >>> >>> Full disclosure. I’m new to F2B. :) >>> >>> I managed to setup 0.10.2 (just upgraded to 0.11) and get it working on >>> macOS High Sierra. My primary match action is to block connections using >>> the adaptive firewall (pf). I’m interested in filter action jails which >>> target attempted abuse of apache/php7, proftpd, sshd, and webmin. >>> >>> My main problem is that some of the log filters don’t seem to work (on >>> macOS). For example, the sshd and webmin-auth log filters don’t match >>> anything. Here’s an example of the only log entry which occurs when I try >>> to login to Webmin with false credentials (logging of logins/logouts is >>> enabled in webmin conf): >>> >>> XXX.XXX.XXX.XXX - - [04/Feb/2018:23:01:52 +0200] "POST /session_login.cgi >>> HTTP/1.1" 401 2333 >>> >>> So, it looks a bit different from the webmin-auth default regexps. >>> Essentially just a HTTP status code 401. Can someone help me construct a >>> properly formatted regexp for it? >>> >>> Are there any generic instructions available on how to construct log filter >>> regexps? How about instructions as to what each of the default log filters >>> attempts to filter (or should it be obvious)? -- Palvelin.fi Hostmaster postmas...@palvelin.fi ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
