fail2ban-users — The mailing list for help on getting Fail2Ban up and running on your machine

Re: [Fail2ban-users] fail2ban doesn't ban

[Tony C. <to...@ev...>]

Hi Christophe - I might be missing something here, but I cannot see an
'action' defined for the SSH rule



Tony Collins

On 31 May 2016 at 14:57, Christophe Millon <chr...@et...>
wrote:

> sorry the configuration file is sshd.conf, and is match the right
> adresses, here is the test :
>
>   [11] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+
> )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Received
> disconnect from <HOST>: 11:  \[preauth\]\s*$
>
>  [11] 68 match(es)
>
>  Here is the jail configuration:
>
> ignore ip = x.x.x.x
> bantime  = 432000
> maxretry = 3
> findtime = 21600
>
> [ssh]
>
> enabled = true
> port    = ssh
> filter  = sshd
> logpath  = /var/log/auth.log
> maxretry = 3
>
> And here is the fail2ban.log when I restart the service:
>
> fail2ban.jail   : INFO   Jail 'ssh' stopped
> 2016-05-30 09:06:22,866 fail2ban.server : INFO   Exiting Fail2ban
> 2016-05-30 09:06:23,202 fail2ban.server : INFO   Changed logging target to
> /var/log/fail2ban.log for Fail2ban v0.8.6
> 2016-05-30 09:06:23,203 fail2ban.jail   : INFO   Creating new jail 'ssh'
> 2016-05-30 09:06:23,203 fail2ban.jail   : INFO   Jail 'ssh' uses poller
> 2016-05-30 09:06:23,219 fail2ban.filter : INFO   Added logfile =
> /var/log/auth.log
> 2016-05-30 09:06:23,219 fail2ban.filter : INFO   Set maxRetry = 3
> 2016-05-30 09:06:23,220 fail2ban.filter : INFO   Set findtime = 21600
> 2016-05-30 09:06:23,221 fail2ban.actions: INFO   Set banTime = 432000
> 2016-05-30 09:06:23,254 fail2ban.jail   : INFO   Jail 'ssh' started
>
> thanks,
>
> Christophe
> ________________________________________
> De : Tom Hendrikx <to...@wh...>
> Envoyé : mardi 31 mai 2016 13:47:09
> À : fai...@li...
> Objet : Re: [Fail2ban-users] fail2ban doesn't ban
>
> On 31-05-16 11:17, Christophe Millon wrote:
> > I have this line in my configuration file
> > /etc/fail2ban/filter.d/shd.conf : ^%(__prefix_line)sReceived disconnect
> > from <HOST>: 11:  \[preauth\]\s*$
>
> Is this filename 'shd.conf' correct? Does that match your jail config?
> Can you you show us your jail.conf, and the logging that a restart of
> fail2ban produces with the config?
>
> Regards,
>         Tom
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>

[Fail2ban-users] Multiple time sets

[Tund3r <tu...@gm...>]

Hi,

is it possible, or will it be in the future, to set different timeframes
for the same jail?

for the smtp for example I would like to filter and ban if there are 3
attemps in 5 minutes, and I also want to filter the ones that bruteforce
the server making an 5/6 attempts per hour  banning them for a week.
there are servers that keep trying every 10 minutes just to avoid this
traps and I would like to filter them without having to create 2 or 3 jails
per every kind of bruteforce or dos

Thank you

Re: [Fail2ban-users] fail2ban doesn't ban

[Christophe M. <chr...@et...>]

sorry the configuration file is sshd.conf, and is match the right adresses, here is the test :

  [11] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Received disconnect from <HOST>: 11:  \[preauth\]\s*$

 [11] 68 match(es)

 Here is the jail configuration:

ignore ip = x.x.x.x
bantime  = 432000
maxretry = 3
findtime = 21600

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

And here is the fail2ban.log when I restart the service:

fail2ban.jail   : INFO   Jail 'ssh' stopped
2016-05-30 09:06:22,866 fail2ban.server : INFO   Exiting Fail2ban
2016-05-30 09:06:23,202 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2016-05-30 09:06:23,203 fail2ban.jail   : INFO   Creating new jail 'ssh'
2016-05-30 09:06:23,203 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2016-05-30 09:06:23,219 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2016-05-30 09:06:23,219 fail2ban.filter : INFO   Set maxRetry = 3
2016-05-30 09:06:23,220 fail2ban.filter : INFO   Set findtime = 21600
2016-05-30 09:06:23,221 fail2ban.actions: INFO   Set banTime = 432000
2016-05-30 09:06:23,254 fail2ban.jail   : INFO   Jail 'ssh' started

thanks,

Christophe
________________________________________
De : Tom Hendrikx <to...@wh...>
Envoyé : mardi 31 mai 2016 13:47:09
À : fai...@li...
Objet : Re: [Fail2ban-users] fail2ban doesn't ban

On 31-05-16 11:17, Christophe Millon wrote:
> I have this line in my configuration file
> /etc/fail2ban/filter.d/shd.conf : ^%(__prefix_line)sReceived disconnect
> from <HOST>: 11:  \[preauth\]\s*$

Is this filename 'shd.conf' correct? Does that match your jail config?
Can you you show us your jail.conf, and the logging that a restart of
fail2ban produces with the config?

Regards,
        Tom

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Fail2ban-users mailing list
Fai...@li...
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban doesn't ban

[Tom H. <to...@wh...>]

On 31-05-16 11:17, Christophe Millon wrote:
> I have this line in my configuration file
> /etc/fail2ban/filter.d/shd.conf : ^%(__prefix_line)sReceived disconnect
> from <HOST>: 11:  \[preauth\]\s*$

Is this filename 'shd.conf' correct? Does that match your jail config?
Can you you show us your jail.conf, and the logging that a restart of
fail2ban produces with the config?

Regards,
	Tom

[Fail2ban-users] fail2ban doesn't ban

[Christophe M. <chr...@et...>]

Hi,


I have again this in my logwatch :


Received disconnect:
    11:  [preauth]
       221.229.162.7 : 6 Time(s)
       221.229.166.101 : 3 Time(s)
       58.218.199.96 : 1 Time(s)
       58.218.204.107 : 1 Time(s)
       58.218.204.211 : 4 Time(s)
       58.218.204.215 : 5 Time(s)
       58.218.204.23 : 6 Time(s)
       58.218.204.80 : 2 Time(s)
       58.218.211.17 : 4 Time(s)


I have this line in my configuration file /etc/fail2ban/filter.d/shd.conf : ^%(__prefix_line)sReceived disconnect from <HOST>: 11:  \[preauth\]\s*$


When I test that, I match the IPs and they are in the findtime but they are never banned.


How is it possible?

Thank you for any advice.


Christophe.

Re: [Fail2ban-users] CentOS 7.2 no Banned IP in iptables -L -n ?

[Günther J. N. <gj...@gj...>]

Hello,

Am Sonntag, 29. Mai 2016, 00:07:00 CEST schrieb Kenneth Porter:
> On 5/25/2016 10:28 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > after update to CentOS 7.2  I mean  my fail2ban don't work correct anymore
> > ?
> What did you update FROM? CentOS 7 uses firewalld as its default
> firewall, not raw iptables. You should configure fail2ban to use
> firewalld as its action.

My Update is from EPEL Directory and I install also the Firewalld.... Packet

I mean this is working with CentOS 7 but never with 7.1 ,7.2 
 
> ----------------------------------------------------------------------------
> -- What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic patterns at an interface-level. Reveals which users, apps, and
> protocols are consuming the most bandwidth. Provides multi-vendor support
> for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using
> capacity planning reports.
> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

Re: [Fail2ban-users] CentOS 7.2 no Banned IP in iptables -L -n ?

[Kenneth P. <sh...@se...>]

On 5/25/2016 10:28 PM, Günther J. Niederwimmer wrote:
> Hello,
>
> after update to CentOS 7.2  I mean  my fail2ban don't work correct anymore ?

What did you update FROM? CentOS 7 uses firewalld as its default 
firewall, not raw iptables. You should configure fail2ban to use 
firewalld as its action.

[Fail2ban-users] 0.9.4.dev0, ufw, handrolled portscan jail

[John S. <li...@be...>]

Hi,

I've been using various versions of f2b for a while now and everything's
been working fine. I've recently upgraded to 0.9.4.dev0 from git, and at
the same time swapped from firehol to ufw.

I completely blew my old f2b configuration (which was hacked from a pre-0.9
installation and so was a really mess) and used the default setup that
comes with the install. I added my own filter:

[Definition]
failregex = ^.*IN-internet.*SRC=<HOST>
            ^.*SYN FLOOD.*SRC=<HOST>
            ^.*BLOCK.*IN=eth0.*<HOST>

Checking against fail2ban-regexp shows this hits /var/log/syslog perfectly
well.

I added the following jail:

[portscan]
enabled = true
protocol = any
action  = ufw[name=portscan]
logpath = /var/log/syslog
maxretry = 3

This seems to find infractions, but does nothing about them:

john@gold /etc/fail2ban % sudo fail2ban-client status portscan
Status for the jail: portscan
|- Filter
|  |- Currently failed: 2
|  |- Total failed:     2
|  `- File list:        /var/log/syslog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

I've swapped out the action for:

action   = iptables-allports

That seems to make no difference. This configuration worked fine in 0.9.3.

So, am I misunderstanding something fundamental about how f2b (should) work
here, or is something not working right?

Thanks in advance,
Me...

Re: [Fail2ban-users] Fail2ban issue

[Darac M. <mai...@da...>]

On Wed, May 25, 2016 at 01:42:27PM +0000, Christophe Millon wrote:
>Hi,
>
>
>I'm new here and I have a question.
>
>My fail2ban work well, but for a few days I have an issue. Every morning when I
>look my logwatch I see that :
>
>
> Received disconnect:
>    11:  [preauth]
>       221.229.162.7 : 7 Time(s)
>       221.229.166.101 : 4 Time(s)
>       58.218.199.96 : 8 Time(s)
>       58.218.204.107 : 3 Time(s)
>       58.218.204.211 : 4 Time(s)
>       58.218.204.215 : 6 Time(s)
>       58.218.204.23 : 3 Time(s)
>       58.218.204.32 : 3 Time(s)
>       58.218.204.80 : 1 Time(s)
>       58.218.211.17 : 9 Time(s)
>
>In the auth.log these IPs occur only with this line : "Received disconnect 
>from x.x.x.x: 11: [preauth]". These addresses are not banned.
>
>So on my Virtual Machine I try to modify the configuration file /etc/fail2ban/
>filter.d/sshd.conf to test if I can ban these IPs, I added in regex this line :
>^%(__prefix_line)sReceived disconnect from <HOST> .* [preauth]\s*$  but it
>doesn't work.

You probably need "\[preauth\]", otherwise that section will be 
interpreted as being a character class (i.e. a 'p, or an 'r', or an 
'e'...)

Also, check to see if the attempts are spread out over a greater period 
than your 'findtime' setting.

>
>How can I ban these IPs?
>
>Thank you for any advice.
>
>Christophe.
>
>

>------------------------------------------------------------------------------
>Mobile security can be enabling, not merely restricting. Employees who
>bring their own devices (BYOD) to work are irked by the imposition of MDM
>restrictions. Mobile Device Manager Plus allows you to control only the
>apps on BYO-devices by containerizing them, leaving personal data untouched!
>https://ad.doubleclick.net/ddm/clk/304595813;131938128;j

>_______________________________________________
>Fail2ban-users mailing list
>Fai...@li...
>https://lists.sourceforge.net/lists/listinfo/fail2ban-users


-- 
For more information, please reread.

[Fail2ban-users] CentOS 7.2 no Banned IP in iptables -L -n ?

[Günther J. N. <gj...@gj...>]

Hello,

after update to CentOS 7.2  I mean  my fail2ban don't work correct anymore ?

before update, I found the banned IP's in iptables now only in fail2ban  I 
mean it is broken ?

Have any the same Problems and found a working Configuration ?

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

[Fail2ban-users] Fail2ban issue

[Christophe M. <chr...@et...>]

Hi,


I'm new here and I have a question.

My fail2ban work well, but for a few days I have an issue. Every morning when I look my logwatch I see that :


 Received disconnect:
    11:  [preauth]
       221.229.162.7 : 7 Time(s)
       221.229.166.101 : 4 Time(s)
       58.218.199.96 : 8 Time(s)
       58.218.204.107 : 3 Time(s)
       58.218.204.211 : 4 Time(s)
       58.218.204.215 : 6 Time(s)
       58.218.204.23 : 3 Time(s)
       58.218.204.32 : 3 Time(s)
       58.218.204.80 : 1 Time(s)
       58.218.211.17 : 9 Time(s)

In the auth.log these IPs occur only with this line : "Received disconnect  from x.x.x.x: 11: [preauth]". These addresses are not banned.

So on my Virtual Machine I try to modify the configuration file /etc/fail2ban/filter.d/sshd.conf to test if I can ban these IPs, I added in regex this line : ^%(__prefix_line)sReceived disconnect from <HOST> .* [preauth]\s*$  but it doesn't work.

How can I ban these IPs?

Thank you for any advice.

Christophe.

[Fail2ban-users] Missing log file causes failed start of fail2ban

[Charles W. <ch...@it...>]

I just recently upgrade to 0.9.3 and am now being forced to change all 
fail2ban configs on 30+ servers because if apache is not installed and 
thus cannot find the log file for it fail2ban startup will fail.

WHY!!!

Let it throw a warning in the f2b log and be done with. I have 30+ 
ProxMox servers with hundreds of containers with a single f2b config 
that was on each HW node. Now each node needs to be customized.

[Fail2ban-users] IN_public_allow chain

[Roman G. <rge...@gm...>]

I have installed fail2ban on aws rhel 7 box.  There, I have setup firewall
rules allowing incoming traffic on ports 22 and 80.

I created this jail

[apache-xmlrpc]

enabled  = true
port     = http
protocol = tcp
filter   = apache-xmlrpc
logpath  = /var/log/httpd/access_log
maxretry = 10
# findtime: 10 mins
findtime = 600
# bantime: 1 week
bantime  = 604800


with this filter

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =


Looking at iptables, I get
Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ctstate NEW


Why IN_public_allow chain doesn't include?
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ctstate NEW

In any case, entering the following line ma seems to take care of the
problem.

iptables -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate
NEW -j ACCEPT.

What needs to be to done so that it should be included or perhaps I
misconfigured it?


Furthermore,

Looking at fail2ban.log,

2016-05-23 08:47:20,019 fail2ban.actions        [5354]: NOTICE
 [apache-xmlrpc] 185.47.62.118 already banned
2016-05-23 08:47:20,174 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:20,895 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:21,634 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:23,386 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:24,127 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:25,879 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:27,627 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:28,368 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:29,117 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:31,866 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:32,033 fail2ban.actions        [5354]: NOTICE
 [apache-xmlrpc] 185.47.62.118 already banned
2016-05-23 08:47:34,602 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:35,376 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:37,089 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:40,847 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:41,602 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:42,349 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:44,091 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:45,839 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:46,616 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:47,349 fail2ban.filter         [5354]: INFO
 [apache-xmlrpc] Found 185.47.62.118
2016-05-23 08:47:48,049 fail2ban.actions        [5354]: NOTICE
 [apache-xmlrpc] 185.47.62.118 already banned

Shouldn't this ip address185.47.62.118 have been added to IN_public_deny?
Why are there further post attempts from this client?


Thanks in advance

[Fail2ban-users] Matching postfix/submission rule

[Alex <mys...@gm...>]

Hi,

I have a fedora23 system with fail2ban-0.9.3 and firewalld. I'm having
difficulty matching the following, and hoped someone could help:

May 22 13:17:58 email postfix/submission/smtpd[13700]: warning:
cpe-24-162-143-15.hot.res.rr.com[24.162.143.15]: SASL LOGIN
authentication failed: UGFzc3dvcmQ6

I can match with something like the following:

failregex = .*warning: .*\[<HOST>\]: SASL LOGIN authentication failed:.*$

but I'd like to figure out why I can't match on the more specific
pattern involving postfix/submission/smtpd[13700].

I've tried variations like:

_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)semail %(_daemon)swarning:
[-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)
authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

Much of this was from an existing fail2ban filter.


Thanks for any ideas,
Alex

[Fail2ban-users] logpath with spaces not working

[Simon B. <si...@be...>]

Recently I've been having issues with previously working filter. Probably correlates with version 0.93, but not certain: 

ERROR No file(s) found for glob /Library/FileMaker 
ERROR Failed during configuration: Have not found any log file for filemaker-client jail 

The full log path this is checking is defined as: 

logpath = /Library/FileMaker Server/Logs/Event.log 

I've seen it mentioned that there is some sort of parameter that can optionally be appended to a path, but can't find that documented. Also, I've tried encoding the space in various ways with no luck. Is there any way to get this working without having to create a symlink or something? 

Simon 


PS: full version at https://github.com/beezwax/filemaker-fail2ban 

[Fail2ban-users] Only send mail for new bans?

[Patric G. <pg...@la...>]

Hi,

Love fail2ban, but it makes me never want to reboot my server!

I.e i use sendmail to inform me of fail2ban bans.

But if i reboot or just restart fail2ban, it mails me every single 
banned ip on my system (currently close to 2000 ip:s)

I.e i get 2000 e-mails everytime i reboot.

Is there a way to prevent this?

Best Regards

Patric

[Fail2ban-users] Case insensitive filter works but does not trigger jail

[Valentin H. <hei...@un...>]

Hey folks,

I have made a filter that blocks machines from accessing samba shares
when creating files with certain extensions.
The filter looks like this

[Definition]
failregex = (?i)smbd.*IP=<HOST>.*\.locky$

So it should trigger when a file ending with .LOCKY or .locky is saved
in this case. However I turned on debug loglevel and saw that it is
triggered when I save file.LOCKY but only puts the machine in jail when
I save file.locky.

Even though it gets the event and finds the IP, it only puts the machine
in jail when its all lowercase. When I remove the case insensitive flag
"(?i)" the filter does not trigger for .LOCKY so it definitely filters
case insensitive but the jail is still applied case sensitive. Does
anybody know what I am missing here?

Thanks in advance!

Excuse me if I was unclear, feel free to ask further questions.

Kind regards

Re: [Fail2ban-users] How to: add matched line in sended mail

[Bill S. <bsh...@op...>]

A little more info since you're interested:
[0:root@elmo ~]$ rpm -qi sec
Name        : sec
Version     : 2.7.7
Release     : 0.fc22
Architecture: noarch
Install Date: Sun 09 Aug 2015 07:28:16 AM EDT
Group       : System Environment/Daemons
Size        : 581726
License     : GPLv2+
Signature   : RSA/SHA256, Wed 18 Feb 2015 12:59:17 PM EST, Key ID 11adc0948e1431d5
Source RPM  : sec-2.7.7-0.fc22.src.rpm
Build Date  : Wed 18 Feb 2015 08:24:45 AM EST
Build Host  : buildvm-15.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://simple-evcorr.sourceforge.net/
Summary     : Simple Event Correlator script to filter log file entries
Description :
SEC is a simple event correlation tool that reads lines from files, named
pipes, or standard input, and matches the lines with regular expressions,
Perl subroutines, and other patterns for recognizing input events.
Events are then correlated according to the rules in configuration files,
producing output events by executing user-specified shell commands, by
writing messages to pipes or files, etc.


One of my message configuration files (/etc/sec/dhcp.sec) that adds a DHCP lease
to an ipset to allow thru the firewall (some lines are wrapped by email):
# mail = /bin/mail instead of /usr/bin/mail for elvis
# Dec 31 11:19:28 elmo dhcpd[20260]: Host:BROTHER-MFC-J61=>BROTHER-MFC-J61  VendorId:(none) MemberOf:(none)  PoolType:(none)  
Lease:14400 Ipv4:192.168.4.63  MAC:0:1b:a9:3d:2d:e3 --> STATIC
type=Single
ptype=RegExp
pattern=(?<server_name>\S+)\s+dhcpd\S+:\s+Host:(?<host>\S+)=\>(?<DNShost>\S+).+ 
Lease:(?<leaseTime>\d+).+Ipv4:(?<ipv4>(\d{1,3}\.){3}\d{1,3}).+MAC:(?<MAC>\S+)
desc=DHCP lease issued: Server:$+{server_name} Host:$+{DNShost}  Ipv4:$+{ipv4}  Lease:$+{leaseTime} MAC:$+{MAC}
action=shellcmd /usr/sbin/ipset -exist add DHCP4-lease $+{ipv4} timeout $+{leaseTime}


On 5/18/2016 4:46 AM, Marcin Mirosław wrote:
> W dniu 17.05.2016 o 16:14, Bill Shirley pisze:
>> This more of a job for Simple Event Correlator (SEC):
>> https://simple-evcorr.github.io/
> Hi!
> I didn't know this tool. It looks that I should look at SEC closer.
>
> Thanks!
> Marcin
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] How to: add matched line in sended mail

[Marcin M. <ma...@me...>]

W dniu 17.05.2016 o 16:14, Bill Shirley pisze:
> This more of a job for Simple Event Correlator (SEC):
> https://simple-evcorr.github.io/

Hi!
I didn't know this tool. It looks that I should look at SEC closer.

Thanks!
Marcin

Re: [Fail2ban-users] How to: add matched line in sended mail

[Bill S. <bsh...@op...>]

This more of a job for Simple Event Correlator (SEC):
https://simple-evcorr.github.io/

Bill

On 5/16/2016 11:09 AM, Marcin Mirosław wrote:
> Hi!
> I'd like to use Fail2ban in a little different scenario than blocking
> ip. I'm trying to setup Fail@ban to monitor rbldnsd log to detect
> appearing predefined string (this is private uribl server) and send
> email to me with information if such string appears.
>
> examples of log:
> 1462867150 8.8.8.8 somedomain.uribl A IN: NXDOMAIN/0/95
>
>
> 1455794291 8.8.8.8 otherdomain.uribl A IN: NXDOMAIN/0/88
>
>
> 1455794291 8.8.8.8 anotherdomain.pl A IN: NXDOMAIN/0/92
>
> I'd like to get notification with line which match failregex to know
> that "otherdomain.uribl" appeared in log. I'm using regexp:
> .*\s<HOST>\s%otherdomain\.uribls\sA\sIN:\sNXDOMAIN/\d/\d\d$
> Maybe I should change regexp to match <HOST> in place where
> "otherdomain.uribl" appears? But how to define both own regexp and
> <HOST> to match the same string?
> Fail2ban-0.9.3
>
> Thanks for any advice.
>
> Marcin
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] How to: add matched line in sended mail

[Marcin M. <ma...@me...>]

Hi!
I'd like to use Fail2ban in a little different scenario than blocking
ip. I'm trying to setup Fail@ban to monitor rbldnsd log to detect
appearing predefined string (this is private uribl server) and send
email to me with information if such string appears.

examples of log:
1462867150 8.8.8.8 somedomain.uribl A IN: NXDOMAIN/0/95


1455794291 8.8.8.8 otherdomain.uribl A IN: NXDOMAIN/0/88


1455794291 8.8.8.8 anotherdomain.pl A IN: NXDOMAIN/0/92

I'd like to get notification with line which match failregex to know
that "otherdomain.uribl" appeared in log. I'm using regexp:
.*\s<HOST>\s%otherdomain\.uribls\sA\sIN:\sNXDOMAIN/\d/\d\d$
Maybe I should change regexp to match <HOST> in place where
"otherdomain.uribl" appears? But how to define both own regexp and
<HOST> to match the same string?
Fail2ban-0.9.3

Thanks for any advice.

Marcin

Re: [Fail2ban-users] xarf-login-attack action failing

[Daniel L. S. <da...@is...>]

Here's a real one from an outside IP:
2016-05-09 15:54:36,238 fail2ban.actions        [28520]: ERROR   Failed
to execute ban jail 'sshd' action 'xarf-login-attack' info
'CallingMap({'ipjailmatches': <function <lambda> at 0x7fb60be59758>,
'matches': '2016-05-09T04:53:54.418814 host.private sshd[5351]: Invalid
user admin from 88.135.140.111\n2016-05-09T04:53:54.422425 host.private
sshd[5351]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=88.135.140.111\n2016-05-09T04:53:56.128375
host.private sshd[5351]: Failed password for invalid user admin from
88.135.140.111 port 3316 ssh2', 'ip': '88.135.140.111', 'ipmatches':
<function <lambda> at 0x7fb60be59668>, 'ipfailures': <function <lambda>
at 0x7fb60be597d0>, 'time': 1462823676.131133, 'failures': 3,
'ipjailfailures': <function <lambda> at 0x7fb60be59848>})': 'bool'
object is not iterable
On Thu, 2016-05-12 at 19:04 +0100, Nick Howitt wrote:
> From what you posted, it looks like your ignoreip range covers the ip
> detected so it is .......... ignored.
> 
> On 12/05/2016 18:51, Daniel L. Srebnick wrote:
> > Is anyone out there using xarf-login-attack?  Mighty quiet since my
> > initial inquiry and could use some assistance here, even if it is
> > direction to file a bug report.
> > 
> > On Mon, 2016-05-09 at 18:41 -0400, Daniel L. Srebnick wrote:
> > 
> > snip...snip for brevity
> > 
> > > Seems like ipmatches, ipfailures, and ipjailfailures are not
> > > being
> > > found, causing the failure.
> > > 
> > > All suggestions appreciated please!
> > > 
> > > 
> > -----------------------------------------------------------------
> > -------------
> > Mobile security can be enabling, not merely restricting. Employees
> > who
> > bring their own devices (BYOD) to work are irked by the imposition
> > of MDM
> > restrictions. Mobile Device Manager Plus allows you to control only
> > the
> > apps on BYO-devices by containerizing them, leaving personal data
> > untouched!
> > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> > _______________________________________________
> > Fail2ban-users mailing list
> > Fai...@li...
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>  

Re: [Fail2ban-users] xarf-login-attack action failing

[Daniel L. S. <da...@is...>]

The ignore was commented out for the test which was a local attempt to
trigger the error for documentation!
On Thu, 2016-05-12 at 19:04 +0100, Nick Howitt wrote:
> From what you posted, it looks like your ignoreip range covers the ip
> detected so it is .......... ignored.
> 
> On 12/05/2016 18:51, Daniel L. Srebnick wrote:
> > Is anyone out there using xarf-login-attack?  Mighty quiet since my
> > initial inquiry and could use some assistance here, even if it is
> > direction to file a bug report.
> > 
> > On Mon, 2016-05-09 at 18:41 -0400, Daniel L. Srebnick wrote:
> > 
> > snip...snip for brevity
> > 
> > > Seems like ipmatches, ipfailures, and ipjailfailures are not
> > > being
> > > found, causing the failure.
> > > 
> > > All suggestions appreciated please!
> > > 
> > > 
> > -----------------------------------------------------------------
> > -------------
> > Mobile security can be enabling, not merely restricting. Employees
> > who
> > bring their own devices (BYOD) to work are irked by the imposition
> > of MDM
> > restrictions. Mobile Device Manager Plus allows you to control only
> > the
> > apps on BYO-devices by containerizing them, leaving personal data
> > untouched!
> > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> > _______________________________________________
> > Fail2ban-users mailing list
> > Fai...@li...
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>  

Re: [Fail2ban-users] xarf-login-attack action failing

[Nick H. <ni...@ho...>]

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    From what you posted, it looks like your ignoreip range covers the
    ip detected so it is .......... ignored.<br>
    <br>
    <div class="moz-cite-prefix">On 12/05/2016 18:51, Daniel L. Srebnick
      wrote:<br>
    </div>
    <blockquote cite="mid:146...@is..."
      type="cite">
      <pre wrap="">Is anyone out there using xarf-login-attack?  Mighty quiet since my
initial inquiry and could use some assistance here, even if it is
direction to file a bug report.

On Mon, 2016-05-09 at 18:41 -0400, Daniel L. Srebnick wrote:

snip...snip for brevity

</pre>
      <blockquote type="cite">
        <pre wrap="">Seems like ipmatches, ipfailures, and ipjailfailures are not being
found, causing the failure.

All suggestions appreciated please!


</pre>
      </blockquote>
      <pre wrap="">

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
<a class="moz-txt-link-freetext" href="https://ad.doubleclick.net/ddm/clk/304595813;131938128;j">https://ad.doubleclick.net/ddm/clk/304595813;131938128;j</a>
_______________________________________________
Fail2ban-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Fai...@li...">Fai...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/fail2ban-users">https://lists.sourceforge.net/lists/listinfo/fail2ban-users</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

Re: [Fail2ban-users] xarf-login-attack action failing

[Daniel L. S. <da...@is...>]

Is anyone out there using xarf-login-attack?  Mighty quiet since my
initial inquiry and could use some assistance here, even if it is
direction to file a bug report.

On Mon, 2016-05-09 at 18:41 -0400, Daniel L. Srebnick wrote:

snip...snip for brevity

> Seems like ipmatches, ipfailures, and ipjailfailures are not being
> found, causing the failure.
> 
> All suggestions appreciated please!
> 
>