From: Xuo <xu...@fr...> - 2010-09-26 17:25:19
|
Hi, At the moment, I use fail2ban with ssh and it works fine. I would like to use it with proftpd too, but proftpd's logs are in french and fail2ban seems not to be able to recognize the format of the date and time. How can I make fail2ban works fine with different languages in the logs. Thanks. Xuo. |
From: Roy S. K. <ro...@ka...> - 2010-09-26 17:40:26
|
> How can I make fail2ban works fine with different languages in the > logs. Please post the log output, and someone might get a chance to write the regex for it :) Vennlige hilsener / Best regards roy -- Roy Sigurd Karlsbakk (+47) 97542685 ro...@ka... http://blogg.karlsbakk.net/ -- I all pedagogikk er det essensielt at pensum presenteres intelligibelt. Det er et elementært imperativ for alle pedagoger å unngå eksessiv anvendelse av idiomer med fremmed opprinnelse. I de fleste tilfeller eksisterer adekvate og relevante synonymer på norsk. |
From: Xuo <xu...@fr...> - 2010-09-26 19:39:50
|
Hi, Here is an example of a proftpd log file. The date is in french format. sept. 26 16:17:17 ordi4 proftpd[31535] ordi4(211.49.40.231[211.49.40.231]): FTP session opened. sept. 26 16:17:17 ordi4 proftpd[31535] ordi4 (211.49.40.231[211.49.40.231]): USER Administrator: no such user found from 211.49.40.231 [211.49.40.231] to 192.168.0.14:21 sept. 26 16:17:18 ordi4 proftpd[31535] ordi4 (211.49.40.231[211.49.40.231]): USER Administrator: no such user found from 211.49.40.231 [211.49.40.231] to 192.168.0.14:21 sept. 26 16:17:20 ordi4 proftpd[31535] ordi4 (211.49.40.231[211.49.40.231]): USER Administrator: no such user found from 211.49.40.231 [211.49.40.231] to 192.168.0.14:21 sept. 26 16:17:20 ordi4 proftpd[31535] ordi4 (211.49.40.231[211.49.40.231]): Maximum login attempts (3) exceeded,connection refused sept. 26 16:17:20 ordi4 proftpd[31535] ordi4 (211.49.40.231[211.49.40.231]): FTP session closed. For ssh, the log file contains : Sep 26 19:27:36 ordi4 sshd[1104]: Failed password for root from 173.203.121.231 port 36915 ssh2 Regards. Xuo. Le 26/09/2010 19:40, Roy Sigurd Karlsbakk a écrit : >> How can I make fail2ban works fine with different languages in the >> logs. > Please post the log output, and someone might get a chance to write the regex for it :) > > Vennlige hilsener / Best regards > > roy > -- > Roy Sigurd Karlsbakk > (+47) 97542685 > ro...@ka... > http://blogg.karlsbakk.net/ > -- > I all pedagogikk er det essensielt at pensum presenteres intelligibelt. Det er et elementært imperativ for alle pedagoger å unngå eksessiv anvendelse av idiomer med fremmed opprinnelse. I de fleste tilfeller eksisterer adekvate og relevante synonymer på norsk. |
From: René B. <rb...@ca...> - 2010-09-26 20:30:20
|
On 9/26/2010 2:39 PM, Xuo wrote: > Here is an example of a proftpd log file. The date is in french format. > > sept. 26 16:17:17 ordi4 proftpd[31535] ordi4 > (211.49.40.231[211.49.40.231]): USER Administrator: no such user found > from 211.49.40.231 [211.49.40.231] to 192.168.0.14:21 That looks like a bug on proftp, standard month abbreviations are 3 letters and no period; is it doing its own log or using syslog? > For ssh, the log file contains : > > Sep 26 19:27:36 ordi4 sshd[1104]: Failed password for root from > 173.203.121.231 port 36915 ssh2 Fail2ban already tries to recognize several formats, including French, also including converting local to 'C' locale. Its not done with custom regexes, so there is nothing to write here, its done in code (datetemplate.py and datedector.py). I would try to fix proftp first, or make it use syslog which (I think) at least follows the standards. -- René Berber |
From: Xuo <xu...@fr...> - 2010-09-27 17:25:14
|
Le 26/09/2010 22:07, René Berber a écrit : > On 9/26/2010 2:39 PM, Xuo wrote: > >> Here is an example of a proftpd log file. The date is in french format. >> >> sept. 26 16:17:17 ordi4 proftpd[31535] ordi4 >> (211.49.40.231[211.49.40.231]): USER Administrator: no such user found >> from 211.49.40.231 [211.49.40.231] to 192.168.0.14:21 > That looks like a bug on proftp, standard month abbreviations are 3 > letters and no period; is it doing its own log or using syslog? I don't know. I'll try to see how proftpd generates its logs. Regards. Xuo. >> For ssh, the log file contains : >> >> Sep 26 19:27:36 ordi4 sshd[1104]: Failed password for root from >> 173.203.121.231 port 36915 ssh2 > Fail2ban already tries to recognize several formats, including French, > also including converting local to 'C' locale. Its not done with custom > regexes, so there is nothing to write here, its done in code > (datetemplate.py and datedector.py). > > I would try to fix proftp first, or make it use syslog which (I think) > at least follows the standards. |
From: Xuo <xu...@fr...> - 2010-09-28 18:32:38
|
Hi, You have found the problem. By default, proftpd writes its logs via syslog (see http://www.proftpd.org/docs/howto/Logging.html). But in my /etc/proftpd.conf file, there was the 2 following lines that I commented out : #TransferLog /var/log/proftpd/proftpd.log #SystemLog /var/log/proftpd/proftpd.log Now, error messages are written into /var/log/syslog in (what I call) english format and fail2ban is able to ban bad IP addresses. I still have a question : when you say fail2ban is able to recognize french, why didn't it recognize "sept." ? Is it the 'dot' that is not correct ? I think 'sept.' comes from my locales. If I do : # date I get : mar. sept. 28 20:29:47 CEST 2010 Is there some docs on how fail2ban manage locales and why it seems to recognize only english format ? Regards. Xuo. Le 26/09/2010 22:07, René Berber a écrit : > On 9/26/2010 2:39 PM, Xuo wrote: > >> Here is an example of a proftpd log file. The date is in french format. >> >> sept. 26 16:17:17 ordi4 proftpd[31535] ordi4 >> (211.49.40.231[211.49.40.231]): USER Administrator: no such user found >> from 211.49.40.231 [211.49.40.231] to 192.168.0.14:21 > That looks like a bug on proftp, standard month abbreviations are 3 > letters and no period; is it doing its own log or using syslog? > >> For ssh, the log file contains : >> >> Sep 26 19:27:36 ordi4 sshd[1104]: Failed password for root from >> 173.203.121.231 port 36915 ssh2 > Fail2ban already tries to recognize several formats, including French, > also including converting local to 'C' locale. Its not done with custom > regexes, so there is nothing to write here, its done in code > (datetemplate.py and datedector.py). > > I would try to fix proftp first, or make it use syslog which (I think) > at least follows the standards. |
From: René B. <rb...@ca...> - 2010-09-28 19:03:54
|
On 9/28/2010 1:32 PM, Xuo wrote: > You have found the problem. > By default, proftpd writes its logs via syslog (see > http://www.proftpd.org/docs/howto/Logging.html). > But in my /etc/proftpd.conf file, there was the 2 following lines that I > commented out : > #TransferLog > /var/log/proftpd/proftpd.log > > #SystemLog /var/log/proftpd/proftpd.log > Now, error messages are written into /var/log/syslog in (what I call) > english format and fail2ban is able to ban bad IP addresses. > > I still have a question : when you say fail2ban is able to recognize > french, why didn't it recognize "sept." ? Is it the 'dot' that is not > correct ? > I think 'sept.' comes from my locales. > If I do : > # date > I get : > mar. sept. 28 20:29:47 CEST 2010 I'm not sure where is the standard, I don't use French but I have used Spanish and the abbreviations are 3 letters and no dot, for month and day. Fail2ban has some harcoded French month names, using unicode, in the code you see things like 'TABLE["Feb"] = [u"Fév"]' which I think stands for Février, September doesn't have an entry since, using 3 letters, its the same. Additional to that, it does locale conversion, from any configured locally to C which is English using ASCII, perhaps this part is failing, if you have the correct locale it should have worked (but syslog being in English does point that the locale is not French, but English, or C, or none). > Is there some docs on how fail2ban manage locales and why it seems to > recognize only english format ? Not that I know of, but I haven't looked for it. -- René Berber |
From: Tom H. <to...@wh...> - 2010-09-29 17:11:22
Attachments:
signature.asc
|
On 28/09/10 21:03, René Berber wrote: > I'm not sure where is the standard, I don't use French but I have used > Spanish and the abbreviations are 3 letters and no dot, for month and day. > > Fail2ban has some harcoded French month names, using unicode, in the > code you see things like 'TABLE["Feb"] = [u"Fév"]' which I think stands > for Février, September doesn't have an entry since, using 3 letters, its > the same. Additional to that, it does locale conversion, from any > configured locally to C which is English using ASCII, perhaps this part > is failing, if you have the correct locale it should have worked (but > syslog being in English does point that the locale is not French, but > English, or C, or none). > >> Is there some docs on how fail2ban manage locales and why it seems to >> recognize only english format ? I think it is quite common to use 'exotic' (i.e. any other than POSIX, C or en_*) locales only in user profiles in stead of system wide, so they don't apply to 'system' processes. Last time I checked, my glibc included 320+ locales, so imho maintaining a parser supporting all (or most) of them would take more work than all of current fail2ban development time available :) -- Regards, Tom |
From: Xuo <xu...@fr...> - 2010-09-29 17:23:19
|
Le 29/09/2010 19:10, Tom Hendrikx a écrit : > On 28/09/10 21:03, René Berber wrote: >> I'm not sure where is the standard, I don't use French but I have used >> Spanish and the abbreviations are 3 letters and no dot, for month and day. >> >> Fail2ban has some harcoded French month names, using unicode, in the >> code you see things like 'TABLE["Feb"] = [u"Fév"]' which I think stands >> for Février, September doesn't have an entry since, using 3 letters, its >> the same. Additional to that, it does locale conversion, from any >> configured locally to C which is English using ASCII, perhaps this part >> is failing, if you have the correct locale it should have worked (but >> syslog being in English does point that the locale is not French, but >> English, or C, or none). >> >>> Is there some docs on how fail2ban manage locales and why it seems to >>> recognize only english format ? > I think it is quite common to use 'exotic' (i.e. any other than POSIX, C > or en_*) locales only in user profiles in stead of system wide, so they > don't apply to 'system' processes. > > Last time I checked, my glibc included 320+ locales, so imho maintaining > a parser supporting all (or most) of them would take more work than all > of current fail2ban development time available :) Hi, I see. I'll try to use 'non-exotic' locales for all users except me. Regards. Xuo. > > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Xuo <xu...@fr...> - 2010-09-29 18:15:23
|
Hi, I have modified /etc/sysconfig/i18n by replacing all LC_xxx=fr_FR.UTF-8 by LC_xxx=C. I set : TransferLog /var/log/proftpd/proftpd.log SystemLog /var/log/proftpd/proftpd.log in /etc/proftpd.conf and fail2ban is able to ban bad IPs. In /var/log/proftpd/proftpd.log, the date format is now : Sep 29 20:10:20 Thank you for your help. Xuo. Le 29/09/2010 19:23, Xuo a écrit : > Le 29/09/2010 19:10, Tom Hendrikx a écrit : >> On 28/09/10 21:03, René Berber wrote: >>> I'm not sure where is the standard, I don't use French but I have used >>> Spanish and the abbreviations are 3 letters and no dot, for month and day. >>> >>> Fail2ban has some harcoded French month names, using unicode, in the >>> code you see things like 'TABLE["Feb"] = [u"Fév"]' which I think stands >>> for Février:, September doesn't have an entry since, using 3 letters, its >>> the same. Additional to that, it does locale conversion, from any >>> configured locally to C which is English using ASCII, perhaps this part >>> is failing, if you have the correct locale it should have worked (but >>> syslog being in English does point that the locale is not French, but >>> English, or C, or none). >>> >>>> Is there some docs on how fail2ban manage locales and why it seems to >>>> recognize only english format ? >> I think it is quite common to use 'exotic' (i.e. any other than POSIX, C >> or en_*) locales only in user profiles in stead of system wide, so they >> don't apply to 'system' processes. >> >> Last time I checked, my glibc included 320+ locales, so imho maintaining >> a parser supporting all (or most) of them would take more work than all >> of current fail2ban development time available :) > Hi, > > I see. I'll try to use 'non-exotic' locales for all users except me. > > Regards. > > Xuo. >> >> >> ------------------------------------------------------------------------------ >> Start uncovering the many advantages of virtual appliances >> and start using them to simplify application deployment and >> accelerate your shift to cloud computing. >> http://p.sf.net/sfu/novell-sfdev2dev >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |