Package: logwatch
Version: 7.4.1-1
Followup-For: Bug #766901
Please find attached the patch for making logwatch catching again fail2ban
reports on bans/unbans. I also pushed corresponding changes (as an NMU) to the
collab git repository under tent/fail2ban-0.9 branch. Willi, would you be
kind to push them through or bless me for doing so?
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
From: Yaroslav Halchenko <deb...@onerussian.com>
Subject: Make compatible with Fail2ban 0.9.x series
also includes some white-spaces (non-functional) changes to harmonize
indentation
Forwarded: not yet -- please do!
Last-Update: 2014-10-28
--- a/scripts/services/fail2ban
+++ b/scripts/services/fail2ban
@@ -1,7 +1,14 @@
+#!/usr/bin/perl
##########################################################################
-# $Id: fail2ban 226 2014-09-09 11:07:27Z stefjakobs $
+# $Id: fail2ban 150 2013-06-18 22:19:38Z mtremaine $
##########################################################################
# $Log: fail2ban,v $
+#
+# Revision 1.6 2014/08/11 16:07:46 yoh
+# Patches from Yaroslav Halchenko to match adjusted in 0.9.x lines.
+# Also reports now total number of hits (matches) along with Ban:Unban
+# and relaxed regular expressions for matching any log level
+#
# Revision 1.5 2008/08/18 16:07:46 mike
# Patches from Paul Gear <paul at libertysys.com> -mgt
#
@@ -45,132 +52,150 @@ my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL
my $IgnoreHost = $ENV{'sshd_ignore_host'} || "";
my $DebugCounter = 0;
my $ReInitializations = 0;
-my @IptablesErrors = ();
-my @ActionErrors = ();
-my $NotValidIP = 0; # reported invalid IPs number
+my @ActionsErrors = ();
+my @CommandsErrors = ();
+my $NotValidIP = 0; # reported invalid IPs number
my @OtherList = ();
my %ServicesBans = ();
if ( $Debug >= 5 ) {
- print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n";
- $DebugCounter = 1;
+ print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n";
+ $DebugCounter = 1;
}
while (defined(my $ThisLine = <STDIN>)) {
- if ( $Debug >= 5 ) {
- print STDERR "DEBUG($DebugCounter): $ThisLine";
- $DebugCounter++;
- }
- chomp($ThisLine);
- if ( ($ThisLine =~ /..,... DEBUG: /) or
- ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban
- ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
- ($ThisLine =~ /INFO\s+Log rotation detected for/) or
- ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller|uses pyinotify)/) or
- ($ThisLine =~ /INFO\s+Changed logging target to/) or
- ($ThisLine =~ /INFO\s+Creating new jail/) or
- ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban
- ($ThisLine =~ /..,... WARNING: Verbose level is /) or
- ($ThisLine =~ /..,... WARNING: Restoring firewall rules/) or
- ($ThisLine =~ /WARNING Determined IP using DNS Lookup: [^ ]+ = \['[^']+'\]/) or
- ($ThisLine =~ /INFO\s+(Stopping all jails|Exiting Fail2ban)/) or
- ($ThisLine =~ /INFO\s+Initiated 'pyinotify' backend/) or
- ($ThisLine =~ /INFO\s+(Added logfile = .*|Set maxRetry = \d+|Set findtime = \d+|Set banTime = \d+)/)
+ if ( $Debug >= 5 ) {
+ print STDERR "DEBUG($DebugCounter): $ThisLine";
+ $DebugCounter++;
+ }
+ chomp($ThisLine);
+ if ( ($ThisLine =~ /..,... DEBUG: /) or
+ ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban
+ ($ThisLine =~ /..,... \S+: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
+ ($ThisLine =~ /\S+\s+rollover performed on/) or
+ ($ThisLine =~ /\S+\s+Connected to .* persistent database/) or
+ ($ThisLine =~ /\S+\s+Jail '.*' uses .*/) or
+ ($ThisLine =~ /\S+\s+Initiated '.*' backend/) or
+ ($ThisLine =~ /\S+\s+Jail .* is not a JournalFilter instance/) or
+ ($ThisLine =~ /\S+\s+Log rotation detected for/) or
+ ($ThisLine =~ /\S+\s+Jail.+(?:stopped|started|uses poller)/) or
+ ($ThisLine =~ /\S+\s+Changed logging target to/) or
+ ($ThisLine =~ /\S+\s+Creating new jail/) or
+ ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban
+ ($ThisLine =~ /..,... \S+: Verbose level is /) or
+ ($ThisLine =~ /..,... \S+: Restoring firewall rules/)
)
- {
- if ( $Debug >= 6 ) {
- print STDERR "DEBUG($DebugCounter): line ignored\n";
- }
- } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/(?:WARNING|NOTICE):?\s\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {
- if ( $Debug >= 6 ) {
- print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
- }
- $ServicesBans{$Service}{$Host}{$Action}++;
- $ServicesBans{$Service}{"(all)"}{$Action}++;
- } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/INFO: (\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
- if ($Debug >= 4) {
- print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
- }
- push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
- } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ ERROR:\s(.*):\s(\S+)\salready in ban list/)) {
- $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
- } elsif ( my ($Service,$Host) = ($ThisLine =~ m/(?:INFO|WARNING)\s*\[(.*)\]\s*(\S+)\s*already banned/)) {
- $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
- } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ WARNING:\s(.*):\sReBan (\S+)/)) {
- $ServicesBans{$Service}{$Host}{'ReBan'}++;
- } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
- push @IptablesErrors, "$ThisLine\n";
- } elsif ($ThisLine =~ /ERROR.*returned \d+$/) {
- push @ActionErrors, "$ThisLine\n";
- } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or
- ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) {
- $ReInitializations++;
- } elsif ($ThisLine =~ /..,... WARNING: is not a valid IP address/) {
- # just ignore - this will be fixed within fail2ban and is harmless warning
- }
- else
- {
- # Report any unmatched entries...
- push @OtherList, "$ThisLine\n";
- }
+ {
+ if ( $Debug >= 6 ) {
+ print STDERR "DEBUG($DebugCounter): line ignored\n";
+ }
+ } elsif ( my ($LogLevel,$Service,$Action,$Host) = ($ThisLine =~ m/(WARNING|NOTICE):?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {
+ if ( $Debug >= 6 ) {
+ print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
+ }
+ $ServicesBans{$Service}{$Host}{$Action}++;
+ $ServicesBans{$Service}{"(all)"}{$Action}++;
+ } elsif ( my ($LogLevel,$Service,$Host) = ($ThisLine =~ m/(INFO|WARNING|NOTICE):?\s+\[?(.*?)[]:]?\sFound[^\.]* (\S+)/)) {
+ if ( $Debug >= 6 ) {
+ print STDERR "DEBUG($DebugCounter): Found hit for $Service from $Host\n";
+ }
+ $ServicesBans{$Service}{$Host}{"Hit"}++;
+ $ServicesBans{$Service}{"(all)"}{"Hit"}++;
+ } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/\S+:\s+(\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
+ if ($Debug >= 4) {
+ print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
+ }
+ push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
+ } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\s(\S+)\salready in ban list/)) {
+ $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+ } elsif ( my ($Service,$Host) = ($ThisLine =~ m/\S+:?\s+\[?([^[]*?)[]:]?\s+(\S+)\salready banned/)) {
+ if ( $Debug >= 6 ) {
+ print STDERR "DEBUG($DebugCounter): Found hit for already banned $Host against $Service\n";
+ }
+ $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+ } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\sReBan (\S+)/)) {
+ $ServicesBans{$Service}{$Host}{'ReBan'}++;
+ } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
+ push @ActionsErrors, "$ThisLine\n";
+ } elsif ($ThisLine =~ / ERROR\s*Failed to execute.*action/) {
+ push @ActionsErrors, "$ThisLine\n";
+ } elsif ($ThisLine =~ / WARNING Command \[.*\] has failed. Received/) {
+ push @CommandsErrors, "$ThisLine\n";
+ } elsif ($ThisLine =~ /ERROR.*returned \d+$/) {
+ push @ActionsErrors, "$ThisLine\n";
+ } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or
+ ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) {
+ $ReInitializations++;
+ } elsif ($ThisLine =~ /..,... WARNING: is not a valid IP address/) {
+ # just ignore - this will be fixed within fail2ban and is harmless warning
+ }
+ else
+ {
+ # Report any unmatched entries...
+ push @OtherList, "$ThisLine\n";
+ }
}
###########################################################
if (keys %ServicesBans) {
- printf("\nBanned services with Fail2Ban: Bans:Unbans\n");
+ printf("\nBanned services with Fail2Ban: Bans:Unbans:Hits\n");
foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
- printf(" %-55s [%3d:%-3d]\n", "$service:",
- $ServicesBans{$service}{'(all)'}{'Ban'},
- $ServicesBans{$service}{'(all)'}{'Unban'});
- delete $ServicesBans{$service}{'(all)'};
- my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
- if ($Detail >= 5) {
- foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
- my $name = LookupIP($ip);
- printf(" %-53s %3d:%-3d\n",
- $name,
- $ServicesBans{$service}{$ip}{'Ban'},
- $ServicesBans{$service}{$ip}{'Unban'});
- if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
- print " Failed ";
- foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
- print " $fails";
- }
- print " times";
- printf("\n %d Duplicate Ban attempts", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
- printf("\n %d ReBans due to rules reinitilizations", $ServicesBans{$service}{$ip}{'ReBan'}) ;
- print "\n";
- }
- }
- }
+ printf(" %-55s [%3d:%d:%-3d]\n", "$service:",
+ $ServicesBans{$service}{'(all)'}{'Ban'},
+ $ServicesBans{$service}{'(all)'}{'Unban'},
+ $ServicesBans{$service}{'(all)'}{'Hit'});
+ delete $ServicesBans{$service}{'(all)'};
+ my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
+ if ($Detail >= 5) {
+ foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
+ my $name = LookupIP($ip);
+ printf(" %-53s %3d:%d:%-3d\n",
+ $name,
+ $ServicesBans{$service}{$ip}{'Ban'},
+ $ServicesBans{$service}{$ip}{'Unban'},
+ $ServicesBans{$service}{$ip}{'Hit'});
+ if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
+ print " Failed ";
+ foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
+ print " $fails";
+ }
+ print " times\n";
+ }
+ if ($ServicesBans{$service}{$ip}{'AlreadyInTheList'}>0) {
+ printf(" %d Duplicate Ban attempt(s)\n", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
+ }
+ if ($ServicesBans{$service}{$ip}{'ReBan'}>0) {
+ printf(" %d ReBan(s) due to rules reinitilizations\n", $ServicesBans{$service}{$ip}{'ReBan'}) ;
+ }
+ }
+ }
}
}
-
if ($Detail>0) {
- if ($#IptablesErrors > 0) {
- printf("\n%d faulty iptables invocation(s)", $#IptablesErrors);
- if ($Detail > 5) {
- print ":\n";
- print @IptablesErrors ;
- }
+ if ($#ActionsErrors >= 0) {
+ printf("\n%d faulty action invocation(s)", $#ActionsErrors+1);
+ if ($Detail > 5) {
+ print ":\n";
+ print @ActionsErrors ;
+ }
}
- if ($#ActionErrors > 0) {
- printf("\n%d error(s) returned from actions", $#ActionErrors);
+ if ($#CommandsErrors >= 0) {
+ printf("\n%d faulty command invocation(s) from client(s)", $#CommandsErrors+1);
if ($Detail > 5) {
- print ":\n";
- print @ActionErrors ;
+ print ":\n";
+ print @CommandsErrors ;
}
}
if ($ReInitializations > 0) {
- printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);
+ printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);
}
if ($#OtherList >= 0) {
- print "\n**Unmatched Entries**\n";
- print @OtherList;
+ print "\n**Unmatched Entries**\n";
+ print @OtherList;
}
}
