From: Zembower, K. <kze...@jh...> - 2008-03-31 15:05:22
|
Can anyone tell me why the regex in fail2ban 0.8.2 is failing to identify the messages in my /var/log/secure on my RHEL ES 4 server? I've pasted below some entries that I thought would have matched regexs #1 and #4, along with the output of fail2ban-regex, that reports no match: -bash-3.00# egrep 'no such user found' /var/log/secure |tail -5 Mar 30 17:41:37 www proftpd[26411]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - USER guest: no such user found from 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 Mar 30 17:41:38 www proftpd[26411]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - USER guest: no such user found from 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 Mar 30 17:41:39 www proftpd[26412]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - USER guest: no such user found from 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 Mar 30 17:41:40 www proftpd[26412]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - USER guest: no such user found from 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 Mar 30 17:41:40 www proftpd[26412]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - USER guest: no such user found from 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 -bash-3.00# egrep 'Maximum login attempts' /var/log/secure |tail -5 Mar 30 17:41:31 www proftpd[26408]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded Mar 30 17:41:34 www proftpd[26409]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded Mar 30 17:41:36 www proftpd[26410]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded Mar 30 17:41:38 www proftpd[26411]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded Mar 30 17:41:40 www proftpd[26412]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded -bash-3.00# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/proftpd.conf Running tests ============= Use regex file : /etc/fail2ban/filter.d/proftpd.conf Use log file : /var/log/secure Results ======= Failregex |- Regular expressions: | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$ | [2] \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ | [3] \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ | `- Number of matches: [1] 0 match(es) [2] 0 match(es) [3] 0 match(es) [4] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. -bash-3.00# Thanks so much for any suggestions or advice. -Kevin Kevin Zembower Internet Services Group manager Center for Communication Programs Bloomberg School of Public Health Johns Hopkins University 111 Market Place, Suite 310 Baltimore, Maryland 21202 410-659-6139 |
From: Yaroslav H. <li...@on...> - 2008-03-31 20:31:25
|
didn't test but from looking at: > Mar 30 17:41:37 www proftpd[26411]: www.jhuccp.org > (202.144.65.190[202.144.65.190]) - USER guest: no such user found from ^ missing space... thus add it to regexp below > 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 > | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ > \[[0-9.]+\] to \S+:\S+$ > Mar 30 17:41:31 www proftpd[26408]: www.jhuccp.org > (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded > | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ not sure why this one fails -- may be some trailing whitespaces? send it as an attachment not embed wrapped into the mail -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Zembower, K. <kze...@jh...> - 2008-03-31 20:59:53
|
Thanks so much for the hint. ProFTPD is throwing in an extra space at the end of #1 and #4: -bash-3.00# egrep 'Maximum login attempts' /var/log/secure |tail -5 |cat -vet Mar 30 17:41:31 www proftpd[26408]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded $ Mar 30 17:41:34 www proftpd[26409]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded $ Mar 30 17:41:36 www proftpd[26410]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded $ Mar 30 17:41:38 www proftpd[26411]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded $ Mar 30 17:41:40 www proftpd[26412]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded $ -bash-3.00# egrep 'no such user found' /var/log/secure |tail -5 |cat -vet Mar 30 17:41:37 www proftpd[26411]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - USER guest: no such user found from 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 $ Mar 30 17:41:38 www proftpd[26411]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - USER guest: no such user found from 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 $ Mar 30 17:41:39 www proftpd[26412]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - USER guest: no such user found from 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 $ Mar 30 17:41:40 www proftpd[26412]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - USER guest: no such user found from 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 $ Mar 30 17:41:40 www proftpd[26412]: www.jhuccp.org (202.144.65.190[202.144.65.190]) - USER guest: no such user found from 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 $ -bash-3.00# Modified regex as such: # NOTE: ProFTPD throws an extra space in at the end. #failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$ failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+\s+$ \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded\s+$ Thanks, again. Will work more on your other email on Wednesday. -Kevin -----Original Message----- From: Yaroslav Halchenko [mailto:li...@on...] Sent: Monday, March 31, 2008 4:31 PM To: Zembower, Kevin Cc: fai...@li... Subject: Re: [Fail2ban-users] Need help with regex for proftpd didn't test but from looking at: > Mar 30 17:41:37 www proftpd[26411]: www.jhuccp.org > (202.144.65.190[202.144.65.190]) - USER guest: no such user found from ^ missing space... thus add it to regexp below > 202.144.65.190 [202.144.65.190] to 10.253.192.204:21 > | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ > \[[0-9.]+\] to \S+:\S+$ > Mar 30 17:41:31 www proftpd[26408]: www.jhuccp.org > (202.144.65.190[202.144.65.190]) - Maximum login attempts (3) exceeded > | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ not sure why this one fails -- may be some trailing whitespaces? send it as an attachment not embed wrapped into the mail -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |