From: Yves <f2...@ya...> - 2014-12-19 13:46:01
|
Hi, That's a tricky question… Le 2014-12-19 13:55, Stephen Colebrook a écrit : > Hi, > > I’m trying to write a filter to capture a username from log entries > instead of an IP address. So <HOST> can’t be used. Apparently a python What exactly do you want to achieve? As far as I know, Fail2ban is unable to capture, or act on, anything other than a host. For the sake of the discussion, I will assume that you would like to ban users that fail too often, instead of banning hosts that fail too often. Fail2ban can't do that in theory. Yet it can sort-of be done. > regex should work but I can’t find the right syntax for fail2ban-regex > to catch the log entries I’m after. I have no python experience so > hopefully someone can help. > > Here’s a sample log entry: > Dec 18 21:43:30 hostname application[26895]: {core} Login failed: > ’someuser' (Remote IP: ‘xxx.xxx.xxx.xxx', X-Forwarded-For: ‘') OK. Be careful, as {} characters have meaning for regular expressions. First step is to capture the bad logins. I'm still not all that familiar with how Fail2ban matches the beginning of the line, but this should be fine at least for the end of the line: \{core\} Login failed: ’(?P<host>\S+)'.* Now, Fail2ban will think that these are hosts, that you thus capture. So it will try to find out the IP. Thus you'll have to devise some mapping. I suggest you use an IP range that you have no use for, such as 10.10.x.x, and create the mapping in /etc/hosts: 10.10.0.1 elisabeth 10.10.0.2 georges 10.10.0.3 edward 10.10.0.4 victoria and do on… (Of course, check that the "hosts:" line in /etc/nsswitch.conf begins with "files") Then you need a special action that will deal with the specifics of your software. Let's assume that this software is for example sshd. SSH deals with user denial using "DenyUsers", and thankfully sshd can be restarted with no harm done to the existing connections. The action would thus look like this: [Definition] actionstart = actionstop = actioncheck = actionban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts` if grep -q '^DenyUsers' /etc/ssh/sshd_config; then sed -r -i.old "s/^(DenyUsers.*)\$/\\1 $banned/" /etc/ssh/sshd_config else echo "DenyUsers $banned" >>/etc/ssh/sshd_config fi actionunban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts` sed -r -i.old "/^DenyUsers /s/ $banned( |\$)/\\1/g" /etc/ssh/sshd_config sed '/^DenyUsers *$/d' /etc/ssh/sshd_config [Init] Minus the comments, this is more or less the action file. You may want to introduce parameters, for example the path of the file to change. This depends on the software and how it manages its users, though. > > I’ve tried the following in my filter without success: > {core} Login failed: ‘(?P<host>\S+)’ > > Any advise for this python rookie? > > Thanks in advance. Good luck! Yves. http://yalis.fr/ |