From: Rarig, H. <hr...@so...> - 2007-03-05 14:56:15
|
Dave, Try this REGEX change in /usr/share/fail2ban/server/datedetector.py = (well, at least it worked for me on March 3!): [mojo@birch server]$ pwd /usr/share/fail2ban/server [mojo@birch server]$ [mojo@birch server]$ diff datedetector.py.orig datedetector.py 54c54 < template.setRegex("\S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} = \d{4}") --- > template.setRegex("\S{3} \S{3}\s{1,2}\d{1,2} = \d{2}:\d{2}:\d{2} \d{4}") [mojo@birch server]$ Harry ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Notes from my README.fail2ban install... # How to test fail2ban regex matches [root@birch filter.d]# tail -4 /var/log/vsftpd.log > /tmp/foo.log [root@birch filter.d]# fail2ban-regex /tmp/foo.log vsftpd.conf Running tests =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Use regex file : vsftpd.conf Use log file : /tmp/foo.log Found a match but no valid date/time found for Sat Mar 3 09:54:23 2007 = [pid 14186] [mojo] FAIL LOGIN: Client "72.9.234.170" . Please contact the author in order to get support for this format Found a match but no valid date/time found for Sat Mar 3 09:54:34 2007 = [pid 14189] [foobar] FAIL LOGIN: Client "72.9.234.170" . Please contact the author in order to get support for this format Results =3D=3D=3D=3D=3D=3D=3D Failregex: [1] vsftpd: .* authentication failure; .* rhost=3D<HOST>$ [2] \[.+\] FAIL LOGIN: Client "<HOST>"$ Number of matches: [1] 0 match(es) [2] 0 match(es) Sorry, no match Look at the above section 'Running tests' which could contain important information. [root@birch filter.d]# # Fixes to deal with missing prepended 0 in /var/log/vsftpd.log Sat Mar 3 13:25:17 2007 [pid 15757] CONNECT: Client "72.9.234.170" Sat Mar 3 13:25:26 2007 [pid 15756] [mojo] FAIL LOGIN: Client = "72.9.234.170" [root@birch server]# diff datedetector.py.orig datedetector.py 54c54 < template.setRegex("\S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} = \d{4}") --- > template.setRegex("\S{3} \S{3}\s{1,2}\d{1,2} = \d{2}:\d{2}:\d{2} \d{4}") [root@birch server]# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: fai...@li... [mailto:fai...@li...]On Behalf Of Dave Dewey Sent: Sunday, March 04, 2007 4:47 PM To: fai...@li... Subject: [Fail2ban-users] vsftpd date parsing error Hello; I'm new to fail2ban, but believe I have it configured correctly. My = server is getting hammered by brute force attacks and this looks like a great = solution. Ssh, httpd and postfix appear to work fine. I'm having an issue with the most important service to me, though - vsftpd. When I run the fail2ban-regex against my logfile I get the following output (ip's = replaced for privacy): Running tests =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Use regex file : /etc/fail2ban/filter.d/vsftpd.conf Use log file : /var/log/vsftpd.log Found a match but no valid date/time found for Sat Mar 3 16:14:42 2007 = [pid 15087] [anonymous] FAIL LOGIN: Client "x.x.x.x" . Please contact the author in order to get support for this format Found a match but no valid date/time found for Sat Mar 3 16:14:42 2007 = [pid 15101] [anonymous] FAIL LOGIN: Client "x.x.x.x" . Please contact the author in order to get support for this format Found a match but no valid date/time found for Sun Mar 4 08:38:04 2007 = [pid 6890] [anonymous] FAIL LOGIN: Client "x.x.x.x" . Please contact the author in order to get support for this format Found a match but no valid date/time found for Sun Mar 4 08:38:05 2007 = [pid 6892] [anonymous] FAIL LOGIN: Client "x.x.x.x" . Please contact the author in order to get support for this format Here are snips from the logfile itself: Sat Mar 3 16:14:42 2007 [pid 15088] CONNECT: Client "x.x.x.x" Sat Mar 3 16:14:42 2007 [pid 15087] [anonymous] FAIL LOGIN: Client = "x.x.x.x" Entry from jail.conf: [vsftpd-iptables] enabled =3D true filter =3D vsftpd action =3D iptables[name=3Dvsftpd, port=3Dftp, protocol=3Dtcp] mail-whois[name=3Dvsftpd, dest=3D...@cy...] logpath =3D /var/log/vsftpd.log maxretry =3D 6 The filter file is unchanged from the distribution: failregex =3D vsftpd: .* authentication failure; .* rhost=3D<HOST>$ \[.+\] FAIL LOGIN: Client "<HOST>"$ Anyone have any ideas? Thanks for the help, and for what looks like a = great program! Also, anyone written anything for dovecot? My dovecot server = had 74,000 invalid brute-force attempts yesterday from the same IP, sheesh. = If not I'll hack something up. dave -------------------------------------------------------------------------= Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share = your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |