From: tobi <to...@br...> - 2014-05-26 20:28:44
|
Solved as follows: I saw that I always tested with the wrong action ;-) After adding the script call to the right action I got "returned 200" errors. After some googeling I found that might indicate a timing problem. So I tried with some sleep time after calling the script in the actionban. That made the errors disappear but still no data in mysql. So finally I changed the actionban to actionban = echo <ip> >>/tmp/ip.block ipset -! -A OFFENDERS <ip> and feed the file via cron to the script. Cheers Am 26.05.2014 20:48, schrieb tobi: > Hello list > > I got a problem with my fail2ban installation. Have fail2ban 0.8.6 > running on a debian wheezy. Now I wanted to add an additional action > which is an external bash script. The script takes one ip as argument > and writes it to a mysql table. The script itself runs fine, when I call > it from commandline and adds the ip given to the table (I double checked > that the ip is added). > So I created the following banaction in my action file > > actionban = /root/addIP2PostfixBlock.sh <ip> && ipset -! -A OFFENDERS <ip> > > The "weird" thing is that the ipset get executed and the ip ends up in > ipset. But nothing in mysql. The script look like this > > #!/bin/bash > > [ "x$*" != 'x' ] || exit 1 > > if [ "x$1" != 'x' ] ; then > IP='' > IP=$(echo "$1" | sed -rn '/((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])/p') > [ "x$IP" = 'x' ] && exit 1 > sed -r 's/IPADDRESS/'$IP'/g' /root/addIP2PostfixBlock.tpl >/tmp/blockSQL.tmp 2>/dev/null > mysql -uMYSQLUSER -pMYSQLPWD -h 192.168.199.213 -P3308 postfix </tmp/blockSQL.tmp 2>/dev/null > rm /tmp/blockSQL.tmp >/dev/null 2>&1 > exit 0 > else > exit 1 > fi > > Is it possible that fail2ban uses a special "enviornment" when running > external bash script? > The following shows that the second part of the actionban is executed > > ipset -D OFFENDERS 173.242.XX.YY > ipset -T OFFENDERS 173.242.XX.YY > 173.242.XX.YY is NOT in set OFFENDERS. > root@log1:~# /etc/init.d/fail2ban restart > [ ok ] Restarting authentication failure monitor: fail2ban. > root@log1:~# tail -f /var/log/fail2ban.log > [...] > 2014-05-26 20:30:56,359 fail2ban.actions: WARNING [ssh] Ban 173.242.XX.YY > [...] > root@log1:~# ipset -T OFFENDERS 173.242.XX.YY > 173.242.XX.YY is in set OFFENDERS. > > Thanks for any idea > > tobi > > -- > It always seems impossible until its done. > (Rolihlahla "Nelson" Mandela 1918-2013) > > > > ------------------------------------------------------------------------------ > The best possible search technologies are now affordable for all companies. > Download your FREE open source Enterprise Search Engine today! > Our experts will assist you in its installation for $59/mo, no commitment. > Test it for FREE on our Cloud platform anytime! > http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > -- It always seems impossible until its done. (Rolihlahla "Nelson" Mandela 1918-2013) |