Package: logwatch Version: 7.4.1-1 Followup-For: Bug #766901 Please find attached the patch for making logwatch catching again fail2ban reports on bans/unbans. I also pushed corresponding changes (as an NMU) to the collab git repository under tent/fail2ban-0.9 branch. Willi, would you be kind to push them through or bless me for doing so?
-- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
From: Yaroslav Halchenko <deb...@onerussian.com> Subject: Make compatible with Fail2ban 0.9.x series also includes some white-spaces (non-functional) changes to harmonize indentation Forwarded: not yet -- please do! Last-Update: 2014-10-28 --- a/scripts/services/fail2ban +++ b/scripts/services/fail2ban @@ -1,7 +1,14 @@ +#!/usr/bin/perl ########################################################################## -# $Id: fail2ban 226 2014-09-09 11:07:27Z stefjakobs $ +# $Id: fail2ban 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## # $Log: fail2ban,v $ +# +# Revision 1.6 2014/08/11 16:07:46 yoh +# Patches from Yaroslav Halchenko to match adjusted in 0.9.x lines. +# Also reports now total number of hits (matches) along with Ban:Unban +# and relaxed regular expressions for matching any log level +# # Revision 1.5 2008/08/18 16:07:46 mike # Patches from Paul Gear <paul at libertysys.com> -mgt # @@ -45,132 +52,150 @@ my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL my $IgnoreHost = $ENV{'sshd_ignore_host'} || ""; my $DebugCounter = 0; my $ReInitializations = 0; -my @IptablesErrors = (); -my @ActionErrors = (); -my $NotValidIP = 0; # reported invalid IPs number +my @ActionsErrors = (); +my @CommandsErrors = (); +my $NotValidIP = 0; # reported invalid IPs number my @OtherList = (); my %ServicesBans = (); if ( $Debug >= 5 ) { - print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n"; - $DebugCounter = 1; + print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n"; + $DebugCounter = 1; } while (defined(my $ThisLine = <STDIN>)) { - if ( $Debug >= 5 ) { - print STDERR "DEBUG($DebugCounter): $ThisLine"; - $DebugCounter++; - } - chomp($ThisLine); - if ( ($ThisLine =~ /..,... DEBUG: /) or - ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban - ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or - ($ThisLine =~ /INFO\s+Log rotation detected for/) or - ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller|uses pyinotify)/) or - ($ThisLine =~ /INFO\s+Changed logging target to/) or - ($ThisLine =~ /INFO\s+Creating new jail/) or - ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban - ($ThisLine =~ /..,... WARNING: Verbose level is /) or - ($ThisLine =~ /..,... WARNING: Restoring firewall rules/) or - ($ThisLine =~ /WARNING Determined IP using DNS Lookup: [^ ]+ = \['[^']+'\]/) or - ($ThisLine =~ /INFO\s+(Stopping all jails|Exiting Fail2ban)/) or - ($ThisLine =~ /INFO\s+Initiated 'pyinotify' backend/) or - ($ThisLine =~ /INFO\s+(Added logfile = .*|Set maxRetry = \d+|Set findtime = \d+|Set banTime = \d+)/) + if ( $Debug >= 5 ) { + print STDERR "DEBUG($DebugCounter): $ThisLine"; + $DebugCounter++; + } + chomp($ThisLine); + if ( ($ThisLine =~ /..,... DEBUG: /) or + ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban + ($ThisLine =~ /..,... \S+: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or + ($ThisLine =~ /\S+\s+rollover performed on/) or + ($ThisLine =~ /\S+\s+Connected to .* persistent database/) or + ($ThisLine =~ /\S+\s+Jail '.*' uses .*/) or + ($ThisLine =~ /\S+\s+Initiated '.*' backend/) or + ($ThisLine =~ /\S+\s+Jail .* is not a JournalFilter instance/) or + ($ThisLine =~ /\S+\s+Log rotation detected for/) or + ($ThisLine =~ /\S+\s+Jail.+(?:stopped|started|uses poller)/) or + ($ThisLine =~ /\S+\s+Changed logging target to/) or + ($ThisLine =~ /\S+\s+Creating new jail/) or + ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban + ($ThisLine =~ /..,... \S+: Verbose level is /) or + ($ThisLine =~ /..,... \S+: Restoring firewall rules/) ) - { - if ( $Debug >= 6 ) { - print STDERR "DEBUG($DebugCounter): line ignored\n"; - } - } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/(?:WARNING|NOTICE):?\s\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) { - if ( $Debug >= 6 ) { - print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n"; - } - $ServicesBans{$Service}{$Host}{$Action}++; - $ServicesBans{$Service}{"(all)"}{$Action}++; - } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/INFO: (\S+): (.+) has (\d+) login failure\(s\). Banned./)) { - if ($Debug >= 4) { - print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n"; - } - push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures; - } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ ERROR:\s(.*):\s(\S+)\salready in ban list/)) { - $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++; - } elsif ( my ($Service,$Host) = ($ThisLine =~ m/(?:INFO|WARNING)\s*\[(.*)\]\s*(\S+)\s*already banned/)) { - $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++; - } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ WARNING:\s(.*):\sReBan (\S+)/)) { - $ServicesBans{$Service}{$Host}{'ReBan'}++; - } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) { - push @IptablesErrors, "$ThisLine\n"; - } elsif ($ThisLine =~ /ERROR.*returned \d+$/) { - push @ActionErrors, "$ThisLine\n"; - } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or - ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) { - $ReInitializations++; - } elsif ($ThisLine =~ /..,... WARNING: is not a valid IP address/) { - # just ignore - this will be fixed within fail2ban and is harmless warning - } - else - { - # Report any unmatched entries... - push @OtherList, "$ThisLine\n"; - } + { + if ( $Debug >= 6 ) { + print STDERR "DEBUG($DebugCounter): line ignored\n"; + } + } elsif ( my ($LogLevel,$Service,$Action,$Host) = ($ThisLine =~ m/(WARNING|NOTICE):?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) { + if ( $Debug >= 6 ) { + print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n"; + } + $ServicesBans{$Service}{$Host}{$Action}++; + $ServicesBans{$Service}{"(all)"}{$Action}++; + } elsif ( my ($LogLevel,$Service,$Host) = ($ThisLine =~ m/(INFO|WARNING|NOTICE):?\s+\[?(.*?)[]:]?\sFound[^\.]* (\S+)/)) { + if ( $Debug >= 6 ) { + print STDERR "DEBUG($DebugCounter): Found hit for $Service from $Host\n"; + } + $ServicesBans{$Service}{$Host}{"Hit"}++; + $ServicesBans{$Service}{"(all)"}{"Hit"}++; + } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/\S+:\s+(\S+): (.+) has (\d+) login failure\(s\). Banned./)) { + if ($Debug >= 4) { + print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n"; + } + push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures; + } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\s(\S+)\salready in ban list/)) { + $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++; + } elsif ( my ($Service,$Host) = ($ThisLine =~ m/\S+:?\s+\[?([^[]*?)[]:]?\s+(\S+)\salready banned/)) { + if ( $Debug >= 6 ) { + print STDERR "DEBUG($DebugCounter): Found hit for already banned $Host against $Service\n"; + } + $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++; + } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\sReBan (\S+)/)) { + $ServicesBans{$Service}{$Host}{'ReBan'}++; + } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) { + push @ActionsErrors, "$ThisLine\n"; + } elsif ($ThisLine =~ / ERROR\s*Failed to execute.*action/) { + push @ActionsErrors, "$ThisLine\n"; + } elsif ($ThisLine =~ / WARNING Command \[.*\] has failed. Received/) { + push @CommandsErrors, "$ThisLine\n"; + } elsif ($ThisLine =~ /ERROR.*returned \d+$/) { + push @ActionsErrors, "$ThisLine\n"; + } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or + ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) { + $ReInitializations++; + } elsif ($ThisLine =~ /..,... WARNING: is not a valid IP address/) { + # just ignore - this will be fixed within fail2ban and is harmless warning + } + else + { + # Report any unmatched entries... + push @OtherList, "$ThisLine\n"; + } } ########################################################### if (keys %ServicesBans) { - printf("\nBanned services with Fail2Ban: Bans:Unbans\n"); + printf("\nBanned services with Fail2Ban: Bans:Unbans:Hits\n"); foreach my $service (sort {$a cmp $b} keys %ServicesBans) { - printf(" %-55s [%3d:%-3d]\n", "$service:", - $ServicesBans{$service}{'(all)'}{'Ban'}, - $ServicesBans{$service}{'(all)'}{'Unban'}); - delete $ServicesBans{$service}{'(all)'}; - my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP); - if ($Detail >= 5) { - foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) { - my $name = LookupIP($ip); - printf(" %-53s %3d:%-3d\n", - $name, - $ServicesBans{$service}{$ip}{'Ban'}, - $ServicesBans{$service}{$ip}{'Unban'}); - if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) { - print " Failed "; - foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) { - print " $fails"; - } - print " times"; - printf("\n %d Duplicate Ban attempts", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ; - printf("\n %d ReBans due to rules reinitilizations", $ServicesBans{$service}{$ip}{'ReBan'}) ; - print "\n"; - } - } - } + printf(" %-55s [%3d:%d:%-3d]\n", "$service:", + $ServicesBans{$service}{'(all)'}{'Ban'}, + $ServicesBans{$service}{'(all)'}{'Unban'}, + $ServicesBans{$service}{'(all)'}{'Hit'}); + delete $ServicesBans{$service}{'(all)'}; + my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP); + if ($Detail >= 5) { + foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) { + my $name = LookupIP($ip); + printf(" %-53s %3d:%d:%-3d\n", + $name, + $ServicesBans{$service}{$ip}{'Ban'}, + $ServicesBans{$service}{$ip}{'Unban'}, + $ServicesBans{$service}{$ip}{'Hit'}); + if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) { + print " Failed "; + foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) { + print " $fails"; + } + print " times\n"; + } + if ($ServicesBans{$service}{$ip}{'AlreadyInTheList'}>0) { + printf(" %d Duplicate Ban attempt(s)\n", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ; + } + if ($ServicesBans{$service}{$ip}{'ReBan'}>0) { + printf(" %d ReBan(s) due to rules reinitilizations\n", $ServicesBans{$service}{$ip}{'ReBan'}) ; + } + } + } } } - if ($Detail>0) { - if ($#IptablesErrors > 0) { - printf("\n%d faulty iptables invocation(s)", $#IptablesErrors); - if ($Detail > 5) { - print ":\n"; - print @IptablesErrors ; - } + if ($#ActionsErrors >= 0) { + printf("\n%d faulty action invocation(s)", $#ActionsErrors+1); + if ($Detail > 5) { + print ":\n"; + print @ActionsErrors ; + } } - if ($#ActionErrors > 0) { - printf("\n%d error(s) returned from actions", $#ActionErrors); + if ($#CommandsErrors >= 0) { + printf("\n%d faulty command invocation(s) from client(s)", $#CommandsErrors+1); if ($Detail > 5) { - print ":\n"; - print @ActionErrors ; + print ":\n"; + print @CommandsErrors ; } } if ($ReInitializations > 0) { - printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations); + printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations); } if ($#OtherList >= 0) { - print "\n**Unmatched Entries**\n"; - print @OtherList; + print "\n**Unmatched Entries**\n"; + print @OtherList; } }