Bug#648021: fail2ban: Logfile in UTC, localtime UTC+1 - no entrioes found

2013-12-23 Thread Helmut Grohne 
On Tue, Nov 08, 2011 at 01:01:23PM +0100, a...@old-forest.org wrote:
 On this (hopefully quite generic) system a log line looks:
 Nov  8 11:19:38 bar sshd[25427]: pam_unix(sshd:auth): authentication failure; 
 logname= uid=0 euid=0 tty=ssh ruser= rhost=fnord
 
 The time given is in UTC, localtime is UTC+1. Fail2ban seems to interpret the
 time stamp as localtime and given the value of 'findtime' of 600 will never
 find any logentry.
 
 My workaround is 'fail2ban-client set ssh findtime 4600', which is a bit ugly.
 A nicer approach would be to make a time offset settable.

I also ran into this issue. A different work around is

echo export TZ=UTC  /etc/default/fail2ban

Since it took me quite some time to notice this issue, let me propose
the following extension:

In processLineAndAdd you already (debug) log when a line gets ignored
due to the findtime setting. I propose adding a flag to
processLineAndAdd that indicates whether it was called due to a poll or
during program startup. Since all polling modes either immediately
notice changes or take at most 1 second, this ignoring can (in theory)
never happen during polling. So I suggest to emit a warning in this
case. I believe that a warning is warranted when a poller takes more
than findtime seconds to report new messages.

The advantage is that now fail2ban spams my log when I have
misconfigured it and chances are, that I'll notice.

Helmut


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#648021: fail2ban: Logfile in UTC, localtime UTC+1 - no entrioes found

2011-11-09 Thread Arne Wichmann 
begin  quotation  from Yaroslav Halchenko (in 
2008125849.gz8...@onerussian.com):
 
 On Tue, 08 Nov 2011, a...@old-forest.org wrote:
  My workaround is 'fail2ban-client set ssh findtime 4600', which is a bit 
  ugly.
  A nicer approach would be to make a time offset settable.
 
 hm... i.e. custom time offset per each jail?

Yep. Or for the whole package. But I have not thought that through.

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (a...@linux.de)


signature.asc
Description: Digital signature

Bug#648021: fail2ban: Logfile in UTC, localtime UTC+1 - no entrioes found

2011-11-08 Thread aw 
Package: fail2ban
Version: 0.8.4-3
Severity: normal

Hi.

On this (hopefully quite generic) system a log line looks:
Nov  8 11:19:38 bar sshd[25427]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=fnord

The time given is in UTC, localtime is UTC+1. Fail2ban seems to interpret the
time stamp as localtime and given the value of 'findtime' of 600 will never
find any logentry.

My workaround is 'fail2ban-client set ssh findtime 4600', which is a bit ugly.
A nicer approach would be to make a time offset settable.

cu

AW
-- System Information:
Debian Release: 6.0.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages fail2ban depends on:
ii  lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  python  2.6.6-3+squeeze6 interactive high-level object-orie
ii  python-central  0.6.16+nmu1  register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables  1.4.8-3administration tools for packet fi
ii  whois 5.0.10 an intelligent whois client

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20100314cvs-1 simple mail user agent
pn  python-gamin   none(no description available)

-- Configuration Files:
/etc/fail2ban/filter.d/sshd.conf changed:
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* 
from HOST\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying 
authentication module for .* from HOST\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from 
HOST(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM HOST\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from HOST\s*$
^%(__prefix_line)sUser .+ from HOST not allowed because not 
listed in AllowUsers$
^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication 
failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* 
rhost=HOST(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(HOST\)\s*$
^%(__prefix_line)sAddress HOST .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser .+ from HOST not allowed because none of 
user's groups are listed in AllowGroups\s*$
ignoreregex = 

/etc/fail2ban/jail.conf changed:
[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 31536
maxretry = 3
backend = polling
destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
action_ = %(banaction)s[name=%(__name__)s, port=%(port)s, 
protocol=%(protocol)s]
action_mw = %(banaction)s[name=%(__name__)s, port=%(port)s, 
protocol=%(protocol)s]
  %(mta)s-whois[name=%(__name__)s, dest=%(destemail)s, 
protocol=%(protocol)s]
action_mwl = %(banaction)s[name=%(__name__)s, port=%(port)s, 
protocol=%(protocol)s]
   %(mta)s-whois-lines[name=%(__name__)s, dest=%(destemail)s, 
logpath=%(logpath)s]
 
action = %(action_)s
[ssh]
enabled = true
port= ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6
findtime = 4200
[pam-generic]
enabled = false
filter  = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath  = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled   = false
filter= xinetd-fail
port  = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2
[ssh-ddos]
enabled = false
port= ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6
[apache]
enabled = false
port= http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-multiport]
enabled   = false
port  = http,https
filter= apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6
[apache-noscript]
enabled = false
port= http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port= http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
[vsftpd]
enabled  = false
port = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
maxretry = 6
[proftpd]
enabled  = false
port = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6
[wuftpd]
enabled  = false
port = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6
[postfix]
enabled  = false
port = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
[couriersmtp]
enabled  = false
port = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log
[courierauth]
enabled  = false
port =

Bug#648021: fail2ban: Logfile in UTC, localtime UTC+1 - no entrioes found

2011-11-08 Thread Yaroslav Halchenko 

On Tue, 08 Nov 2011, a...@old-forest.org wrote:
 My workaround is 'fail2ban-client set ssh findtime 4600', which is a bit ugly.
 A nicer approach would be to make a time offset settable.

hm... i.e. custom time offset per each jail?

-- 
=--=
Keep in touch www.onerussian.com
Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org