Re: [Fail2ban-users] Regex for username

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,
That's a tricky question…

Le 2014-12-19 13:55, Stephen Colebrook a écrit :
> Hi,
> 
> I’m trying to write a filter to capture a username from log entries
> instead of an IP address. So <HOST> can’t be used. Apparently a python

What exactly do you want to achieve? As far as I know, Fail2ban is 
unable to capture, or act on, anything other than a host.
For the sake of the discussion, I will assume that you would like to ban 
users that fail too often, instead of banning hosts that fail too often.
Fail2ban can't do that in theory. Yet it can sort-of be done.

> regex should work but I can’t find the right syntax for fail2ban-regex
> to catch the log entries I’m after. I have no python experience so
> hopefully someone can help.
> 
> Here’s a sample log entry:
> Dec 18 21:43:30 hostname application[26895]: {core} Login failed:
> ’someuser' (Remote IP: ‘xxx.xxx.xxx.xxx', X-Forwarded-For: ‘')

OK. Be careful, as {} characters have meaning for regular expressions.
First step is to capture the bad logins. I'm still not all that familiar 
with how Fail2ban matches the beginning of the line, but this should be 
fine at least for the end of the line:
\{core\} Login failed: ’(?P<host>\S+)'.*

Now, Fail2ban will think that these are hosts, that you thus capture. So 
it will try to find out the IP. Thus you'll have to devise some mapping. 
I suggest you use an IP range that you have no use for, such as 
10.10.x.x, and create the mapping in /etc/hosts:
10.10.0.1 elisabeth
10.10.0.2 georges
10.10.0.3 edward
10.10.0.4 victoria
and do on…
(Of course, check that the "hosts:" line in /etc/nsswitch.conf begins 
with "files")

Then you need a special action that will deal with the specifics of your 
software. Let's assume that this software is for example sshd. SSH deals 
with user denial using "DenyUsers", and thankfully sshd can be restarted 
with no harm done to the existing connections. The action would thus 
look like this:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts`
             if grep -q '^DenyUsers' /etc/ssh/sshd_config; then
               sed -r -i.old "s/^(DenyUsers.*)\$/\\1 $banned/" 
/etc/ssh/sshd_config
             else
               echo "DenyUsers $banned" >>/etc/ssh/sshd_config
             fi
actionunban = banned=`awk '/<ip>[[:blank:]]/{print $2}' /etc/hosts`
               sed -r -i.old "/^DenyUsers /s/ $banned( |\$)/\\1/g" 
/etc/ssh/sshd_config
               sed '/^DenyUsers *$/d' /etc/ssh/sshd_config
[Init]

Minus the comments, this is more or less the action file. You may want 
to introduce parameters, for example the path of the file to change. 
This depends on the software and how it manages its users, though.

> 
> I’ve tried the following in my filter without success:
> {core} Login failed: ‘(?P<host>\S+)’
> 
> Any advise for this python rookie?
> 
> Thanks in advance.

Good luck!

Yves.
http://yalis.fr/