#40 Wrong <logpath> in action.d/mail-whois-lines.conf

open
None
5
2009-01-27
2009-01-21
Murz
No

I have using fail2ban version 0.8.3-1 on Debian Lenny
I have a rule in jail.conf:

[apache-lotofpost]
enabled = true
port = http,https
filter = apache-lotofpost
logpath = /home/*/logs/access_log
maxretry = 5
banaction = mail-whois-lines

And in mail I see this:
Lines containing IP:xx.xx.xx.xx in /dev/null

Why I see '/dev/null' as logpath in action.d script?

Discussion

  • Murz

    Murz - 2009-01-23

    File /etc/fail2ban/filter.d/apache-lotofpost.conf contains:

    [Definition]
    failregex = ^<HOST> - .+"POST\s
    ignoreregex =

     
  • Cyril Jaquier

    Cyril Jaquier - 2009-01-27

    You need to specify the "logpath" for the mail-whois-lines action. Your jail should look like:

    [apache-lotofpost]
    enabled = true
    port = http,https
    filter = apache-lotofpost
    logpath = /home/*/logs/access_log
    maxretry = 5
    banaction = mail-whois-lines[logpath=/home/*/logs/access_log]

    Hope it works. Regards.

     
  • Cyril Jaquier

    Cyril Jaquier - 2009-01-27
    • assigned_to: nobody --> lostcontrol
     
  • Murz

    Murz - 2009-01-28

    It helps, but I see the additional suffix in mail reports and bad rule name.
    I add this string to jail.conf, at end of this file now:
    [apache-lotofpost]
    enabled = true
    port = http,https
    filter = apache-lotofpost
    logpath = /home/*/logs/access_log
    #findtime = 86400
    findtime = 60
    maxretry = 2
    banaction = mail-whois-lines[logpath=/home/*/logs/access_log]

    <end of file>

    But in email I see:
    Subject: [Fail2Ban] default: banned 92.255.239.62
    --------------
    The IP 92.255.239.62 has just been banned by Fail2Ban after
    2 attempts against default.
    ....
    ....
    ....
    Lines containing IP:92.255.239.62 in /home/*/logs/access_log][name

    Regards,

    Fail2Ban
    --------------
    Where it gets '][name' suffix for grep? and why the name of filter is 'default'?

    If I remove the '[logpath=/home/*/logs/access_log]' from jail.conf - all works good, the name sets to "apache-lotofpost" but logpath sets to /dev/null

    I use fail2ban 0.8.3-1 from Debian Lenny at Linux 2.6.26-1-amd64.

     

Log in to post a comment.