From: Jose D. G. M. <dam...@gm...> - 2011-03-31 20:43:03
|
Hi everybody this is my first participation in fail2ban-list i'm trying to implement a rule for squid logs, because i need ban tools like jmeter or another software related the idea is prevent the overload of the system through this tools. is this possible first all? i'm find some similar but for apache (apache-w00tw00t.conf is the name) but don't work for squid logs i was reading the log for squid and i understand the format, but don't know how to create the rule :( can anybody help me on this? thanks a lot -- José Damián Garrido Programador Web ciber-humano |
From: Tom H. <to...@wh...> - 2011-03-31 20:54:39
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 31/03/11 22:42, Jose Damian Garrido Muñoz wrote: > Hi everybody > > this is my first participation in fail2ban-list > i'm trying to implement a rule for squid logs, because i need ban tools like > jmeter or another software related > the idea is prevent the overload of the system through this tools. > is this possible first all? > i'm find some similar but for apache (apache-w00tw00t.conf is the name) but > don't work for squid logs > i was reading the log for squid and i understand the format, but don't know > how to create the rule :( > can anybody help me on this? > thanks a lot > Hi, Please post a squid log snippet and tell us which lines you want fail2ban to detect. There are numerous people one this list that can help you write the required regex, but you'll need to provide us some sample data. - -- Regards, Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJNlOn9AAoJEJPfMZ19VO/1dXEP/1/osSuZ2XmuXrGy9umv1six bkVDuRQZ4QSB4+5+Zz074V8oA2wd4G5RY/hRKF718lFhvgTRgoInIfRPBcmIOYig 0RMMwPdYIEwoP1WziZaKQu8JxQ8eOBj9BaEtg5/RxuBQqzRwD5C6qtSbuwobOM+u CCVHfSAuCBR76fbfDIt0T3CpqOvAqLxCAFU2FNUlVQRiEEbLdoyx4UJL7rh18N/L mjg3H2kZNfodwfXoeCC7I+oeM4mos87J2oYjzzZTaB/HPtFLn3rxhSeIOy6gHIW/ qx7LzGi676gJZXE4eJKrhngxatoZreiCZMcTRhTa5zX0rT7zEFXiXasQ9OLcIfK0 GZeJc3BBclSxhotAeC1cO/AfdChgvEb4Opndxagzt9xwHzN56jjAliZOXJ7dv3h6 Sv6gv+WS0LswWOQ1E++KZlCKmf+Fum2eIKd+dEXGs8Mr8I4iluVT6GbFZz2AorSi 4N3cgtNn6px0y7kR+EgCYrFjcDDK2n2617EKpkii9c7Nx2kkAJ0+29ldCD65cQvX QHswD+35XalFjzhu84bz9+vaivupDKFOUBLPpBcLnUpQPsFk0a3nYEPUpNHAkzSc /zDA/Use2x3je3tuLIdMIwJLUo/CMlwvZUgT3A/dnpUwxW1vM4ON21l8rbcC3BZD HHLZl38fA1hFJFp0sdFV =xs4P -----END PGP SIGNATURE----- |
From: Jose D. G. M. <dam...@gm...> - 2011-03-31 21:35:23
|
On Thu, Mar 31, 2011 at 5:54 PM, Tom Hendrikx <to...@wh...> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 31/03/11 22:42, Jose Damian Garrido Muñoz wrote: > > Hi everybody > > > > this is my first participation in fail2ban-list > > i'm trying to implement a rule for squid logs, because i need ban tools like > > jmeter or another software related > > the idea is prevent the overload of the system through this tools. > > is this possible first all? > > i'm find some similar but for apache (apache-w00tw00t.conf is the name) but > > don't work for squid logs > > i was reading the log for squid and i understand the format, but don't know > > how to create the rule :( > > can anybody help me on this? > > thanks a lot > > > > Hi, > > Please post a squid log snippet and tell us which lines you want > fail2ban to detect. There are numerous people one this list that can > help you write the required regex, but you'll need to provide us some > sample data. > > - -- Tom, thank for your quickly response :) the logs looks like http://pastebin.com/AEASgGNK if need more information i can send quickly as soon :) -- José Damián Garrido Programador Web ciber-humano |
From: Tom H. <to...@wh...> - 2011-03-31 22:28:14
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 31/03/11 23:35, Jose Damian Garrido Muñoz wrote: > On Thu, Mar 31, 2011 at 5:54 PM, Tom Hendrikx <to...@wh...> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> On 31/03/11 22:42, Jose Damian Garrido Muñoz wrote: >>> Hi everybody >>> >>> this is my first participation in fail2ban-list >>> i'm trying to implement a rule for squid logs, because i need ban tools like >>> jmeter or another software related >>> the idea is prevent the overload of the system through this tools. >>> is this possible first all? >>> i'm find some similar but for apache (apache-w00tw00t.conf is the name) but >>> don't work for squid logs >>> i was reading the log for squid and i understand the format, but don't know >>> how to create the rule :( >>> can anybody help me on this? >>> thanks a lot >>> >> >> Hi, >> >> Please post a squid log snippet and tell us which lines you want >> fail2ban to detect. There are numerous people one this list that can >> help you write the required regex, but you'll need to provide us some >> sample data. >> >> - -- > > Tom, thank for your quickly response :) > > the logs looks like http://pastebin.com/AEASgGNK > if need more information i can send quickly as soon :) > I'm no squid expert so you might need to explain more. All lines in your paste are about the same IP. Do you just want to block an IP that opens many connections? If I quickly read up on jmeter it seems that this is what you want. Anyway, this config should account for any TCP or UDP request to squid: - ------8<------ [Definition] # Regex to count each TCP or UDP request to squid failregex = .* <HOST> (TCP|UDP)_ - ------8<------ And define a jail in jail.conf with appropriate limits: - ------8<------ # ban when more than 500 requests in 10 seconds findtime=10 maxretry=500 - ------8<------ - -- Regards, Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJNlP/zAAoJEJPfMZ19VO/1MrAP/1WtdkugkLR8FjSpSTjXV84A v4kTywkrF0FQ7GWb4AOGQ7BlJE8uvtkjFTBgjyqL975TiEjMC2UJays2VJYR/n4H GXAR3trHPZLMD3ausy3LqkxKn6RseQiEwZp1XSphbmU6T0JrAOoJsoRu0UPl/Fjc IBfk2CRGoO2aAZJ1ER/NYbn3GICOAfhc6bI2Wq4taGprpGSPLFLFdv1c1IFRrg6d eVVOj2ONLHYo9VPqJ+/p84Kap1cCQA6w1hFl1yFwfZ4/+YZWawHPUpPyXe5b/zbn NerSLXIDGtSvD60XKCX1Fe5lPuTwTi46IPL0KbgSHRhKqXVFZbRJh5j0iGRz1AvN rhQYrJaeZcXDYpY7unb00oi4cB0Bmvng23lntilpMXVnuBB6PUgyN3OSu1mVEQwj 1aTK5ZW4XkOIGruNxKnD8xpB8QgZd0Tahp4ovu6wqkZH2mZ16Mtw7Vx6Yo9764Ga VY1bmLmPv6yTMsZQ/VuueGz13uJBykpV1jLBpfZn3XSs+twhboxGTNSkQWkVaEZ1 MvpUHlde0G89qZnjDDXwJMIoj1xgxU52E+HwYWr9nGYocpMvJh0QNYVwBBtIgGZC C7LfSobFDWjFfdlbw3XMLkxWTTrTWvxlg78iLmb/zBdrxIrqEvOSZ+oI1xeLFH+2 d3G9iCMuxROYxTnegXev =R+mK -----END PGP SIGNATURE----- |
From: Jose D. G. M. <dam...@gm...> - 2011-03-31 22:46:02
|
>>> >>> On 31/03/11 22:42, Jose Damian Garrido Muñoz wrote: >>>> Hi everybody >>>> >>>> this is my first participation in fail2ban-list >>>> i'm trying to implement a rule for squid logs, because i need ban tools like >>>> jmeter or another software related >>>> the idea is prevent the overload of the system through this tools. >>>> is this possible first all? >>>> i'm find some similar but for apache (apache-w00tw00t.conf is the name) but >>>> don't work for squid logs >>>> i was reading the log for squid and i understand the format, but don't know >>>> how to create the rule :( >>>> can anybody help me on this? >>>> thanks a lot >>>> >>> >>> Hi, >>> >>> Please post a squid log snippet and tell us which lines you want >>> fail2ban to detect. There are numerous people one this list that can >>> help you write the required regex, but you'll need to provide us some >>> sample data. >>> >>> - -- >> >> Tom, thank for your quickly response :) >> >> the logs looks like http://pastebin.com/AEASgGNK >> if need more information i can send quickly as soon :) >> > > I'm no squid expert so you might need to explain more. All lines in your > paste are about the same IP. Do you just want to block an IP that opens > many connections? If I quickly read up on jmeter it seems that this is > what you want. > > Anyway, this config should account for any TCP or UDP request to squid: > - ------8<------ > [Definition] > # Regex to count each TCP or UDP request to squid > failregex = .* <HOST> (TCP|UDP)_ > - ------8<------ > > And define a jail in jail.conf with appropriate limits: > - ------8<------ > # ban when more than 500 requests in 10 seconds > findtime=10 > maxretry=500 > - ------8<------ > > - -- thanks tom. yes, all lines that i send belong to my ip. and a little explanation about the lines is 1301610977.745 67 201.214.34.48 TCP_MISS/200 35757 GET http://ventana.uae.cl/templates/sitiov3/js/jquery.validate.js? - FIRST_UP_PARENT/Ventana application/x-javascript date in perl(?) format 1301610196.500 (?) not clearly 13 the host than access 192.168.10.139 squid result code TCP_MISS/200 file number (?) 35757 method GET the url requested http://ventana.uae.cl/templates/sitiov3/js/jquery.validate.js? - Hierarchy Codes FIRST_UP_PARENT/Ventana the mime-type application/x-javascript and thats all. i'm going to apply your recommendations and tell how going thanks a lot :) -- José Damián Garrido Programador Web ciber-humano |