From: Martin W. <ma...@wa...> - 2010-09-16 06:32:38
|
Hi all, I have some problems regarding tai64n date formats in log files: I have a qmailtoaster running dovecot as the imap server and I use supervise and multilog to run dovecot and it's log just like my other toaster portions. Now, I tried setting up fail2ban to recognize login attacks on dovecot. The lines in question in the logfile look like this: @400000004c91b044077a9e94 imap-login: Info: Aborted login (auth failed, 1 attempts): user=<ma...@wa...>, method=CRAM-MD5, rip=80.187.101.33, lip=80.254.129.240, TLS If I manually test my regex, I get hits: ******* [root@serv01 ~]# fail2ban-regex /var/log/qmail/dovecot/current '.*(?: pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*' Running tests ============= Use regex line : .*(?: pop3-login|imap-login):.*(?:Authentication f... Use log file : /var/log/qmail/dovecot/current Results ======= Failregex |- Regular expressions: | [1] .*(?: pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* | `- Number of matches: [1] 95 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 80.187.101.33 (Wed Sep 15 22:34:51 2010) ... ******* But although I use the exact same logfile and failregex, fail2ban itself will not recognize anything. However, if I (just for testing), start a process: tail -f /var/log/qmail/dovecot/current |tai64nlocal >>/var/log/test.log and point fail2ban to /var/log/test.log instead, everything works like expected. Now, this looks like there is some difference in the way fail2ban-regex and fail2ban treat tai64n timestamps or what else might I be missing? I am running CentOS 5.5 x86_64 and I tried both, fail2ban 0.8.2 as provided by rpmforge repo and 0.8.4 as downloaded rom the project website (as source). Advice and suggestions highly appreciated! Thanks in advance, Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 ma...@wa... http://martin.waschbuesch.de |
From: Martin W. <ma...@wa...> - 2010-09-16 19:27:36
|
I may have found something (thanks for pointing out the date inconsistency possibility): piping /var/log/qmail/dovecot/current through tai64nlocal gives (for the last wrong attempt): 2010-09-16 21:12:38.231499500 imap-login: Info: Aborted login (auth failed, 1 attempts): user=<ma...@wa...>, method=CRAM-MD5, rip=88.217.137.187, lip=80.254.129.240, TLS Now, fail2ban-regex gave this: 88.217.137.187 (Thu Sep 16 20:12:48 2010) There's a mismatch of an hour here. Any idea where that might come from? The system time as seen by tai64nlocal is the correct one. Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 ma...@wa... http://martin.waschbuesch.de Am 16.09.2010 um 20:42 schrieb René Berber: > On 9/16/2010 1:27 PM, Martin Waschbuesch wrote: > > [snip] >> Hm, but that is exactly the point, isn't it? fail2ban-regex does >> recognize matches (and prints them with a datestamp), so why does >> fail2ban itself not block based on that information? > > Perhaps is something else you have not mentioned, for instance, are the > dates presented by fail2ban-regex too far appart? > > And "too far" is configurable, which is really the point. Fail2ban > might be seeing the hits fine but its configuration might be saying > "ignore hits that are 10 minutes appart" (which is the default). Or a > combination of bantime and findtime and maxretry. > > Or perhaps you are expecting f2b to react on old log entries, which it > will not do, or at least tries not to do. > -- > René Berber > > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Yaroslav H. <li...@on...> - 2010-09-17 01:40:29
|
On Thu, 16 Sep 2010, Martin Waschbuesch wrote: > I may have found something (thanks for pointing out the date inconsistency possibility): > piping /var/log/qmail/dovecot/current through tai64nlocal gives (for the last wrong attempt): > 2010-09-16 21:12:38.231499500 imap-login: Info: Aborted login (auth failed, 1 attempts): user=<ma...@wa...>, method=CRAM-MD5, rip=88.217.137.187, lip=80.254.129.240, TLS > Now, fail2ban-regex gave this: > 88.217.137.187 (Thu Sep 16 20:12:48 2010) > There's a mismatch of an hour here. hm -- could you please try running fail2ban after applying supplied patch, then enable debugging per René's instructions, imitate the attack, and observe fail2ban.log -- would there be new kind of Ignore lines? -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Yaroslav H. <li...@on...> - 2010-09-21 18:01:17
|
On Thu, 16 Sep 2010, Yaroslav Halchenko wrote: > > 88.217.137.187 (Thu Sep 16 20:12:48 2010) > > There's a mismatch of an hour here. > hm -- could you please try running fail2ban after applying supplied patch, then enable > debugging per René's instructions, imitate the attack, and observe > fail2ban.log -- would there be new kind of Ignore lines? Per private communication with Martin we figured out that the hour mismatch is indeed the cause of fail2ban failing here. 1. I've committed a modified version of the suggested patch to increase debug verbosity of fail2ban (branch FAIL2BAN-0_8) since it might come handy for other cases 2. Tentative fix for the problem (works for Martin) is a simple replacement of gmtime to localtime (which makes sense to me in general) @@ -168,7 +168,8 @@ class DateTai64n(DateTemplate): # extract part of format which represents seconds since epoch value = dateMatch.group() seconds_since_epoch = value[2:17] - date = list(time.gmtime(int(seconds_since_epoch, 16))) + # convert seconds from HEX into local time stamp + date = list(time.localtime(int(seconds_since_epoch, 16))) return date but I am not sure how tai64n timestamps were working before for anyone else and Mark Edgington who added it (through Cyril)... also could not locate referenced issue #1275325. Any feedback clarifying the situation with tai64n handling would be welcome. Cheers, -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Yaroslav H. <li...@on...> - 2010-09-27 13:20:02
|
On Tue, 21 Sep 2010, Yaroslav Halchenko wrote: > but I am not sure how tai64n timestamps were working before for anyone else and > Mark Edgington who added it (through Cyril)... also could not locate referenced > issue #1275325. > Any feedback clarifying the situation with tai64n handling would be welcome. since no objections -- committed. Also I pushed following change to ignore, by default, all loopback devices (thanks Christoph Anton Mitterer) $> git show upstream-0.8 commit b0331bb02e32fce762f73bfe47169c16baf8cff9 Author: yarikoptic <yarikoptic@a942ae1a-1317-0410-a47c-b1dcaea8d605> Date: Mon Sep 27 13:10:48 2010 +0000 default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@765 a942ae1a-1317-0410-a47c-b1dcaea8d605 diff --git a/config/jail.conf b/config/jail.conf index 41a56ff..81a736d 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -13,7 +13,7 @@ # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. -ignoreip = 127.0.0.1 +ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = 600 -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |