Public bug reported:
'actionban' for xarf-attack-login fails with error:
2019-09-01 16:34:29,549 fail2ban.utils [29558]: Level 39 7fb558007060
-- exec: oifs=${IFS}; IFS=.;SEP_IP=( 192.168.1.151 ); set -- ${SEP_IP}; ADDRESS
ES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
IP=192.168.1.151
[email protected]
SERVICE=sshd
FAILURES=4
[email protected]
TLP=green
PORT=ssh
DATE=`LC_ALL=C date [email protected] +"%a, %d %h %Y %T %z"`
if [ ! -z "$ADDRESSES" ]; then
(printf -- %b "Subject: abuse report about $IP - $DATE\nAuto-Submitted:
auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type:
multipart/mixed; charset=utf8;\n
boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version:
1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain;
charset=utf-8;\n\nDear Sir/Madam,\n\nWe have detected abuse from the IP address
$IP, which according to abusix.com is on your network. We would appreciate if
you would investigate and take action as appropriate.\n\nLog lines are given
below, but please ask if you require any further information.\n\n(If you are
not the correct person to contact about this please accept our apologies - your
e-mail address was extracted from the whois record by an automated
process.)\n\n This mail was generated by
Of course, alternatively, one can try to get these scripts to run under /b
Fail2Ban in a X-ARF format! You can find more information about x-arf at
http://www.x-arf.org/specification.html.\n\nThe recipient address of this
report was provided by the Abuse Contact DB by abusix.com. abusix.com does not
maintain the content of the database. All information which we pass out,
derives from the RIR databases and is processed for ease of use. If you want to
change or report non working abuse contacts please contact the appropriate RIR.
If you have any further question, contact abusix.com directly via email
([email protected]). Information about the Abuse Contact Database can be found
here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is
neither responsible nor liable for the content or accuracy of this
message.\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version:
1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;
name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID:
$REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion:
0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource:
$IP\nPort: $PORT\nSchema-URL:
http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment:
text/plain\nOccurances: $FAILURES\nTLP:
$TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version:
1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8;
name=\"logfile.log\";\n\n";
date '+Note: Local timezone is %z (%Z)';
printf -- %b "\n\n\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--") |
/usr/sbin/sendmail -f [email protected] ${ADDRESSES//,/\" \"}
fi
2019-09-01 16:34:29,551 fail2ban.utils [29558]: ERROR 7fb558007060
-- stderr: '/bin/sh: 1: Syntax error: "(" unexpected'
2019-09-01 16:34:29,552 fail2ban.utils [29558]: ERROR 7fb558007060
-- returned 2
I believe this error is because the action is running under /bin/sh (not bash)
and the convert-to-array construction
SEP_IP=( <ip> ) from action.d/xarf-login-attack is a bash feature not found in
/bin/sh.
Actually, there is no need to add the parentheses, simply:
"IFS=.;SEP_IP=<ip>; set -- ${SEP_IP}" works just fine
(Note that even in bash setting SEP_IP=( <ip> ) won't work unless you also
change the set statement to something like "set -- ${SEP_IP[@]}) "
Similarly, the construction ${ADDRESSES//,\" \"} is a bash-only
construction. So, you would need to use something like 'sed' if you want
to do this in /bin/sh.
The following code works for /bin/sh where
actionban = oifs=${IFS}; IFS=.;SEP_IP=<ip>; set -- ${SEP_IP}; ADDRESSES=$(dig
+short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
IP=<ip>
FROM=<sender>
SERVICE=<service>
FAILURES=<failures>
REPORTID=<time>@<fq-hostname>
TLP=<tlp>
PORT=<port>
DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
if [ ! -z "$ADDRESSES" ]; then
ADDRESSES=`echo ${ADDRESSES} | /bin/sed 's/,/" "/'`
(printf -- %%b "<header>\n<message>\n<report>\n\n";
date '+Note: Local timezone is %%z (%%Z)';
printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd>
<mailargs> ${ADDRESSES}
fi
This would be easier if I could set the bash shell to be used...but I
don't know how to force the shell to bash for this action...
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: fail2ban 0.10.2-2
Uname: Linux 5.2.9-050209-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Sun Sep 1 17:19:58 2019
InstallationDate: Installed on 2019-01-06 (238 days ago)
InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: fail2ban
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.fail2ban.action.d.sendmail-common.conf: [modified]
modified.conffile..etc.fail2ban.action.d.xarf-login-attack.conf: [modified]
modified.conffile..etc.fail2ban.fail2ban.conf: [modified]
modified.conffile..etc.fail2ban.jail.conf: [modified]
mtime.conffile..etc.fail2ban.action.d.sendmail-common.conf:
2019-08-20T13:41:50.086828
mtime.conffile..etc.fail2ban.action.d.xarf-login-attack.conf:
2019-09-01T17:00:26.884347
mtime.conffile..etc.fail2ban.fail2ban.conf: 2019-08-28T21:34:10.964755
mtime.conffile..etc.fail2ban.jail.conf: 2019-09-01T09:12:52.767009
** Affects: fail2ban (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842278
Title:
xarf-login-attack actionban requires bash not sh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/1842278/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
