From: Linux T. <lin...@gm...> - 2010-11-29 14:47:38
|
Hello world, I installed fail2ban for monitoring geronimo logs (geronimo.out). i want use it only for that, no to secure my server. So, i created the following new filter and new jail file. Even a new term "Exception" is detected, i want that fail2ban send me an alert. Can you tell me please how can i do because it appears that this configuration not works. /etc/fail2ban/filter.d/geronimo.conf -------------------------------------------------------------------------------------------------------- # Fail2Ban configuration file # # Author: Yaroslav Halchenko # # $Revision: 510 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S ) # Values: TEXT # failregex = Exception # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = 1,21 Tout /etc/fail2ban/jail.conf -------------------------------------------------------------------------------------------------------- [geronimo] enabled = true filter = Exception action = sendmail-whois[name=Pattern Detection, dest=ad...@na...] logpath = /home/web/geronimo/var/log/geronimo.out ----------- Config: fail2ban-0.8.2-3.el4.rf PHP 4.3.9 (cgi) (built: Apr 4 2007 11:50:16) Red Hat Enterprise Linux AS release 4 (Nahant Update 5) mailx-8.1.1-37.EL4 # fail2ban-client status Status |- Number of jail: 1 `- Jail list: geronimo # fail2ban-client status geronimo Status for the jail: geronimo |- filter | |- File list: /home/web/geronimo/var/log/geronimo.out | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0 TEST: -------------------------------------------------------------------------------------------------------- # fail2ban-regex /home/web/geronimo/var/log/geronimo.out /etc/fail2ban/filter.d/geronimo.conf Running tests ============= Use regex file : /etc/fail2ban/filter.d/geronimo.conf Use log file : /home/web/geronimo/var/log/geronimo.out Results ======= Failregex |- Regular expressions: | [1] Exception | `- Number of matches: [1] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. |
From: Linux T. <lin...@gm...> - 2010-12-01 11:04:11
|
Any one have a solution for my problem please ? 2010/11/29 Linux Tux <lin...@gm...> > Hello world, > > I installed fail2ban for monitoring geronimo logs (geronimo.out). > i want use it only for that, no to secure my server. > So, i created the following new filter and new jail file. > Even a new term "Exception" is detected, i want that fail2ban send me an > alert. > > Can you tell me please how can i do because it appears that this > configuration not works. > > /etc/fail2ban/filter.d/geronimo.conf > > -------------------------------------------------------------------------------------------------------- > > # Fail2Ban configuration file > # > # Author: Yaroslav Halchenko > # > # $Revision: 510 $ > # > > [Definition] > > # Option: failregex > # Notes.: regex to match the password failures messages in the logfile. The > # host must be matched by a group named "host". The tag "<HOST>" > can > # be used for standard IP/hostname matching and is only an alias > for > # (?:::f{4,6}:)?(?P<host>\S ) > # Values: TEXT > # > failregex = Exception > > # Option: ignoreregex > # Notes.: regex to ignore. If this regex matches, the line is ignored. > # Values: TEXT > # > ignoreregex = > 1,21 > Tout > > > > /etc/fail2ban/jail.conf > > -------------------------------------------------------------------------------------------------------- > > [geronimo] > > enabled = true > filter = Exception > action = sendmail-whois[name=Pattern Detection, dest=ad...@na...] > logpath = /home/web/geronimo/var/log/geronimo.out > > > > ----------- > Config: > fail2ban-0.8.2-3.el4.rf > PHP 4.3.9 (cgi) (built: Apr 4 2007 11:50:16) > Red Hat Enterprise Linux AS release 4 (Nahant Update 5) > mailx-8.1.1-37.EL4 > > > # fail2ban-client status > Status > |- Number of jail: 1 > `- Jail list: geronimo > > > # fail2ban-client status geronimo > Status for the jail: geronimo > |- filter > | |- File list: /home/web/geronimo/var/log/geronimo.out > | |- Currently failed: 0 > | `- Total failed: 0 > `- action > |- Currently banned: 0 > | `- IP list: > `- Total banned: 0 > > > TEST: > > -------------------------------------------------------------------------------------------------------- > > # fail2ban-regex /home/web/geronimo/var/log/geronimo.out > /etc/fail2ban/filter.d/geronimo.conf > > Running tests > ============= > > Use regex file : /etc/fail2ban/filter.d/geronimo.conf > Use log file : /home/web/geronimo/var/log/geronimo.out > > > Results > ======= > > Failregex > |- Regular expressions: > | [1] Exception > | > `- Number of matches: > [1] 0 match(es) > > Ignoreregex > |- Regular expressions: > | > `- Number of matches: > > Summary > ======= > > Sorry, no match > > Look at the above section 'Running tests' which could contain important > information. > > |
From: Tom H. <to...@wh...> - 2010-12-01 11:12:51
Attachments:
signature.asc
|
Hi, Your logs (at least your regex) do not contain IP addresses, I'm not sure how fail2ban works with this. However, I'm pretty sure that there are better tools to do what you want. How about logcheck/logwatch? -- Regards, Tom On 01/12/10 12:04, Linux Tux wrote: > Any one have a solution for my problem please ? > > > 2010/11/29 Linux Tux <lin...@gm... <mailto:lin...@gm...>> > > Hello world, > > I installed fail2ban for monitoring geronimo logs (geronimo.out). > i want use it only for that, no to secure my server. > So, i created the following new filter and new jail file. > Even a new term "Exception" is detected, i want that fail2ban send > me an alert. > > Can you tell me please how can i do because it appears that this > configuration not works. > > /etc/fail2ban/filter.d/geronimo.conf > -------------------------------------------------------------------------------------------------------- > > # Fail2Ban configuration file > # > # Author: Yaroslav Halchenko > # > # $Revision: 510 $ > # > > [Definition] > > # Option: failregex > # Notes.: regex to match the password failures messages in the > logfile. The > # host must be matched by a group named "host". The tag > "<HOST>" can > # be used for standard IP/hostname matching and is only an > alias for > # (?:::f{4,6}:)?(?P<host>\S ) > # Values: TEXT > # > failregex = Exception > > # Option: ignoreregex > # Notes.: regex to ignore. If this regex matches, the line is ignored. > # Values: TEXT > # > ignoreregex = > 1,21 > Tout > > > > /etc/fail2ban/jail.conf > -------------------------------------------------------------------------------------------------------- > > [geronimo] > > enabled = true > filter = Exception > action = sendmail-whois[name=Pattern Detection, > dest=ad...@na... <mailto:ad...@na...>] > logpath = /home/web/geronimo/var/log/geronimo.out > > > > ----------- > Config: > fail2ban-0.8.2-3.el4.rf > PHP 4.3.9 (cgi) (built: Apr 4 2007 11:50:16) > Red Hat Enterprise Linux AS release 4 (Nahant Update 5) > mailx-8.1.1-37.EL4 > > > # fail2ban-client status > Status > |- Number of jail: 1 > `- Jail list: geronimo > > > # fail2ban-client status geronimo > Status for the jail: geronimo > |- filter > | |- File list: /home/web/geronimo/var/log/geronimo.out > | |- Currently failed: 0 > | `- Total failed: 0 > `- action > |- Currently banned: 0 > | `- IP list: > `- Total banned: 0 > > > TEST: > -------------------------------------------------------------------------------------------------------- > > # fail2ban-regex /home/web/geronimo/var/log/geronimo.out > /etc/fail2ban/filter.d/geronimo.conf > > Running tests > ============= > > Use regex file : /etc/fail2ban/filter.d/geronimo.conf > Use log file : /home/web/geronimo/var/log/geronimo.out > > > Results > ======= > > Failregex > |- Regular expressions: > | [1] Exception > | > `- Number of matches: > [1] 0 match(es) > > Ignoreregex > |- Regular expressions: > | > `- Number of matches: > > Summary > ======= > > Sorry, no match > > Look at the above section 'Running tests' which could contain important > information. > |