From: Klaus L. <leh...@t-...> - 2008-05-20 08:20:07
|
hi fans, [this was an error, I posted some weeks ago....] you will get an error, if you start "fail2ban-client start": WARNING 'ignoreregex' not defined in 'Definition'. Using default value 2008-05-20 09:50:20,610 fail2ban.server : INFO Starting Fail2ban v0.8.2-SVN 2008-05-20 09:50:20,610 fail2ban.server : INFO Starting in daemon mode rotz_user_with_more_than_8_signs:/usr/local/bin # fail2ban-client stop Shutdown successful what is to do? search in all your active(!!!) conf's aspecially in /etc/fail2ban/filter.d there's a standard pam-generic.conf ... failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ [and nothing more.] it must be correct: ... failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ignoreregex = ~~~~~~~~~~~~~~~~~~ it lacks. all active *.conf must have entry "ignoreregex = " [or with content] ~~~~~~~ !!! adding it (example) to pam-generic.conf, it works. here: rotz_user_with_more_than_8_signs:/usr/local/bin # fail2ban-client start 2008-05-20 09:51:28,617 fail2ban.server : INFO Starting Fail2ban v0.8.2-SVN 2008-05-20 09:51:28,618 fail2ban.server : INFO Starting in daemon mode no error anymore. ;-) ---> cyril, I think it could be good idea, to correct this in pam-generic.conf. ----> and thanks for build in with telling us, with version there runs here's my log: 2008-05-20 09:48:15,433 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.2-SVN why I was so keen on it? THIS is a point to search for startingpoint IN big logfile [a little bit more better would be to read also "starting Fail2ban ...." but, nobody is perfect ;-)] ---> cyril, You can add to sshd.conf those lines: ^%(__prefix_line)s(?:error: PAM: )[uU]ser not know to the underlying [aA]uthentication module for illegal .* from <HOST>\s*$ ^%(__prefix_line)sUser \S+ from <HOST> not allowed because listed in DenyUsers$ [maybe they depends from too new openssh -here's working OpenSSH_5.0p1-snap20080509-] ---> there's also a little addition, I've build in a new filter: apache-http11.conf ======================== content: # Fail2Ban configuration file # Author: Klaus Lehmann -Radeberg- 2008 # $Revision: 668 $ [Definition] # Option: failregex # Notes.: Regexp to catch requests without hostname # Values: TEXT # failregex = [[]client <HOST>[]] client sent HTTP/1.1 request without hostname [(]see RFC2616 section 14.23[)] [[]client <HOST>[]] user not found # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = in jail.local I have an entry ==================== [apache-http11] enabled = true filter = apache-http11 action = iptables-multiport[name=http11, port="http,https"] sendmail-whois-lines[name=http11, lines=5, dest=use...@ec..., sender=fail2ban@less_brain_because_newbie.biz] logpath = /var/log/apache2/error_log bantime = 172800 maxretry = 1 comment: I have no idea, howto build in in existing filters. and I'm not very familiar with perl. BUT IT WORKS. stupid people will not come in. hope, others can use those (small) additions. yours very klaus nb: don't be astonishing about my linux-user with more than 8 .... ; but this is another place of war .... nb2: fail2ban is my life_saver. since 2 years it is working on my servers. since (approx) 2 years there's is more peace in living with those servers. not anymore so much annoying attacks. ok, there are some also annoying attacks, but they count (very) less. therefor I'm VERY proud to give community also some (small) additions ;-) nb3: cyril and yaroslav: you're doing a VERY GOOD JOB!!!!!! [thanx] |
From: Cyril J. <cyr...@fa...> - 2008-05-21 22:34:33
|
Hi Klaus, > [this was an error, I posted some weeks ago....] > you will get an error, if you start "fail2ban-client start": > > WARNING 'ignoreregex' not defined in 'Definition'. Using default value > 2008-05-20 09:50:20,610 fail2ban.server : INFO Starting Fail2ban > v0.8.2-SVN > 2008-05-20 09:50:20,610 fail2ban.server : INFO Starting in daemon > mode > > rotz_user_with_more_than_8_signs:/usr/local/bin # fail2ban-client stop > Shutdown successful > > what is to do? > search in all your active(!!!) conf's > aspecially in /etc/fail2ban/filter.d > Thank you. Commited. http://fail2ban.svn.sourceforge.net/fail2ban/?rev=699&view=rev Klaus, I don't really like to say this but could you please post your patches and files as attachments? Your e-mails will be easier to read and files/patches easier for me to integrate. Could you please send me your modifications again as attachment? Thank you. > ... > also annoying attacks, but they count (very) less. therefor I'm VERY > proud to give community also some (small) additions ;-) > nb3: cyril and yaroslav: you're doing a VERY GOOD JOB!!!!!! [thanx] > Thank you for using and enjoying fail2ban ;) Cheers, Cyril |