Menu
▾
▴
fail2ban-users
|
From: Rarig, H. <hr...@so...> - 2006-03-16 22:57:54
|
Yaroslav, Yeah, the thought crossed my mind that maybe I ought to do a little more = than just "cat" the fail2ban.log file...;-). I certainly would enjoy = doing this sometime in the future, but right now my stack is overflowing = big time with too many other commitments! On the other hand, my experience has been that very few robots are = attacking my site via FTP, and when they do the "magic" in vsftpd seems = to do a good job regulating the frequency of the attempts. However, = once they get past this, the 25 authentications per second dictionary = attacks that were plaguing me in the past have completely ceased now = that fail2ban is guarding the entrance to the castle! (Nice work guys!) As far as SSH goes, I am using the iptables "recent" option to manage = that (see http://olivier.sessink.nl/publications/blacklisting/index.html = [Note: replace "extern_in" with "INPUT" and "extern-out" with = "OUTPUT"]). Using this, the banned IPs show up automatically in the = logwatch default ssh and kernel reports. Would be interested in hearing some anecdotal reports from the field = about how many entries other subscribers to this mailing list are seeing = in their fail2ban.log files...?? =20 Are entries in your fail2ban.log file on the order of 1 or 2, dozens, = hundreds, or more? Cheers! Harry -----Original Message----- From: fai...@li... [mailto:fai...@li...]On Behalf Of Yaroslav Halchenko Sent: Thursday, March 16, 2006 4:54 PM To: fai...@li... Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report Dear Harry, Thank you for logwatch scripts -- I was looking toward composing ones myself but never got to them ;-) Wouldn't you like to see a summary like VSFTPD: 12 IPs baned [list of IPs may be] SSH: 3 IPs baned [...] Another possibility would be to include for each IP on how many times it = was banned which would signal that bantime might be too low if you have multiple hits for the same IP If you have any spare moment, since you mastered logwatch already, would you mind writing a script to provide such statistics? Otherwise you just might get lengthy list of WARNINGs and I really think that statistics would be a better presentation of relevant information --=20 .-. =3D------------------------------ /v\ ----------------------------=3D Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting = language that extends applications into web and mobile media. Attend the live = webcast and join the prime developer group breaking into this new coding = territory! http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D= 121642 _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
|
From: Rarig, H. <hr...@so...> - 2006-03-17 12:33:19
|
Nils, Can you install and test the four logwatch files in the tarball I sent = and see how good/bad it looks on one of your servers? tnx, Harry -----Original Message----- From: fai...@li... [mailto:fai...@li...]On Behalf Of Nils Breunese (Lemonbit Internet) Sent: Thursday, March 16, 2006 8:08 PM To: fai...@li... Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report Harry Rarig wrote: > Would be interested in hearing some anecdotal reports from the =20 > field about how many entries other subscribers to this mailing list =20 > are seeing in their fail2ban.log files...?? > > Are entries in your fail2ban.log file on the order of 1 or 2, =20 > dozens, hundreds, or more? I just checked two of my servers and both have hundreds of entries. =20 Both are hosting multiple domains and are directly facing the =20 internet. I guess my other servers have a similar number of entries =20 in their logs. Nils. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting = language that extends applications into web and mobile media. Attend the live = webcast and join the prime developer group breaking into this new coding = territory! http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D= 121642 _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
|
From: Nils B. (L. Internet) <ni...@le...> - 2006-03-17 14:08:47
|
Harry Rarig wrote: > Nils, > > Can you install and test the four logwatch files in the tarball I > sent and see how good/bad it looks on one of your servers? I'll see if I can test this in the weekend. Actually I thought everybody would have hundreds of entries in their fail2ban.log files, but apparently not? Nils. |
|
From: Cyril J. <cyr...@bl...> - 2006-03-17 15:25:56
|
Hi, > I'll see if I can test this in the weekend. Actually I thought everybody > would have hundreds of entries in their fail2ban.log files, but > apparently not? I've got around 2-4 banned hosts per day. Sometimes more, sometimes less. This is for ssh service only. Regards, Cyril Jaquier |
|
From: Nils B. (L. Internet) <ni...@le...> - 2006-03-17 15:47:44
|
Cyril Jaquier wrote: >> I'll see if I can test this in the weekend. Actually I thought >> everybody >> would have hundreds of entries in their fail2ban.log files, but >> apparently not? > > I've got around 2-4 banned hosts per day. Sometimes more, sometimes > less. This is for ssh service only. I'm also using it only for ssh. Nils Breunese. |
|
From: Rarig, H. <hr...@so...> - 2006-03-17 17:54:25
|
Interesting.... My website is a small one that I run for our Church. Not well known or = advertised, the community of interest tends to be small and localized. = Consequently, the pattern I see in my logfiles is that of "robots" = running through dictionary attacks on SSH and FTP. Only a few attacks a = day. =20 In your case, maybe you have larger community of interest, a popular = server with many subscribers. Perhaps your website appears on more of = the lists used by the robots for attacks. In addition, maybe some of = your own subscribers are forgetting their correct usernames and = passwords. Harry -----Original Message----- From: fai...@li... [mailto:fai...@li...]On Behalf Of Nils Breunese (Lemonbit Internet) Sent: Friday, March 17, 2006 9:08 AM To: fai...@li... Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report Harry Rarig wrote: > Nils, > > Can you install and test the four logwatch files in the tarball I =20 > sent and see how good/bad it looks on one of your servers? I'll see if I can test this in the weekend. Actually I thought =20 everybody would have hundreds of entries in their fail2ban.log files, =20 but apparently not? Nils. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting = language that extends applications into web and mobile media. Attend the live = webcast and join the prime developer group breaking into this new coding = territory! http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D= 121642 _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
|
From: Nils B. (L. Internet) <ni...@le...> - 2006-03-17 18:33:07
|
Harry Rarig wrote: > Interesting.... > > My website is a small one that I run for our Church. Not well > known or advertised, the community of interest tends to be small > and localized. Consequently, the pattern I see in my logfiles is > that of "robots" running through dictionary attacks on SSH and > FTP. Only a few attacks a day. > > In your case, maybe you have larger community of interest, a > popular server with many subscribers. Perhaps your website appears > on more of the lists used by the robots for attacks. In addition, > maybe some of your own subscribers are forgetting their correct > usernames and passwords. Our servers are shared hosting servers, hosting around 50 domains each. None of my clients have shell access via SSH, only my company has access to these servers. Nils. |
|
From: Rarig, H. <hr...@so...> - 2006-03-17 20:58:55
|
I guess if my one domain gets an average of one to three "robotic" = attacks a day, then it would probably make sense that 50 domains hosted = on one server could expect to see 50 to 150 attacks a day. Sounds like we have come up with a good Internet Security "rule of = thumb"! (I just love tidy little formulas!) Harry -----Original Message----- From: fai...@li... [mailto:fai...@li...]On Behalf Of Nils Breunese (Lemonbit Internet) Sent: Friday, March 17, 2006 1:32 PM To: fai...@li... Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report Harry Rarig wrote: > Interesting.... > > My website is a small one that I run for our Church. Not well =20 > known or advertised, the community of interest tends to be small =20 > and localized. Consequently, the pattern I see in my logfiles is =20 > that of "robots" running through dictionary attacks on SSH and =20 > FTP. Only a few attacks a day. > > In your case, maybe you have larger community of interest, a =20 > popular server with many subscribers. Perhaps your website appears =20 > on more of the lists used by the robots for attacks. In addition, =20 > maybe some of your own subscribers are forgetting their correct =20 > usernames and passwords. Our servers are shared hosting servers, hosting around 50 domains =20 each. None of my clients have shell access via SSH, only my company =20 has access to these servers. Nils. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting = language that extends applications into web and mobile media. Attend the live = webcast and join the prime developer group breaking into this new coding = territory! http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D= 121642 _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
|
From: Rarig, H. <hr...@so...> - 2006-03-22 12:37:48
|
Yikes!
I loaded up the four logwatch files you sent me and this is what =
happened.
[root@birch logwatch]# logwatch --range Today --print --service =
fail2ban
"dates" is not defined in %Logwatch::EXPORT_TAGS at =
/etc/log.d/scripts/shared/applyeurodate line 18
main::BEGIN() called at /usr/lib/perl5/5.8.5/Carp.pm line 18
eval {...} called at /usr/lib/perl5/5.8.5/Carp.pm line 18
Can't continue after import errors at =
/etc/log.d/scripts/shared/applyeurodate line 18
BEGIN failed--compilation aborted at =
/etc/log.d/scripts/shared/applyeurodate line 18.
[root@birch logwatch]#
I am running Fedora Core 3 using logwatch-5.2.2-1.FC3.3.
Based on the tar files you sent me, it appears you are running Fedora =
Core 4?
Harry
-----Original Message-----
From: fai...@li...
[mailto:fai...@li...]On Behalf Of Yaroslav
Halchenko
Sent: Saturday, March 18, 2006 1:30 AM
To: fai...@li...
Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report
Dear Rarig, Harry,
Thanks once again for triggering logwatch move ;-)
Here is my version based on yours (see attached). The differences are:
1. rewritten applyeurodate to be in concordance with other apply*date
and use logwatch time filter regex creation facility (to faciliate
such definitions like "between X and Y"
=20
2. generates a summary of banned ips including the numbers (in the
detailed view) after how many attempts each time it was banned... so
on my laptop it looked like:
--------------------- fail2ban-messages Begin ------------------------=20
Banned services with Fail2Ban:
SSH:
165.230.95.72 (tractatus.rutgers.edu): 5 failures
=20
---------------------- fail2ban-messages End -------------------------=20
and on my mailbox server for yesterday it looks like
--------------------- fail2ban-messages Begin ------------------------=20
Banned services with Fail2Ban:
ApacheAttacks:
66.34.225.186: 2 failures
SSH:
202.63.117.71 (yantra.uceou.edu): 5 7 failures
=20
---------------------- fail2ban-messages End -------------------------=20
sorry for no comma in the list of number of failures.
sideeffect: different installation path for the config scripts -- I
just decided to mess with system wide config so it makes it easier to
provide to be included in logwatch.
Also it was tested only on logwatch 7.1-2
Please let me know what you think before I submit a request to logwatch
maintainer (in debian) or upstream to have those rules included to be
used by everyone else
NOTE: I didn't test it thouroughly yet -- thus more sideeffects
possible... I am installing it on a few nodes to see how it will behave
;-)
On Thu, 16 Mar 2006, Rarig, Harry wrote:
> Yaroslav,
> Yeah, the thought crossed my mind that maybe I ought to do a little =
more than just "cat" the fail2ban.log file...;-). I certainly would =
enjoy doing this sometime in the future, but right now my stack is =
overflowing big time with too many other commitments!
> On the other hand, my experience has been that very few robots are =
attacking my site via FTP, and when they do the "magic" in vsftpd seems =
to do a good job regulating the frequency of the attempts. However, =
once they get past this, the 25 authentications per second dictionary =
attacks that were plaguing me in the past have completely ceased now =
that fail2ban is guarding the entrance to the castle! (Nice work guys!)
> As far as SSH goes, I am using the iptables "recent" option to manage =
that (see http://olivier.sessink.nl/publications/blacklisting/index.html =
[Note: replace "extern_in" with "INPUT" and "extern-out" with =
"OUTPUT"]). Using this, the banned IPs show up automatically in the =
logwatch default ssh and kernel reports.
> Would be interested in hearing some anecdotal reports from the field =
about how many entries other subscribers to this mailing list are seeing =
in their fail2ban.log files...?? =20
> Are entries in your fail2ban.log file on the order of 1 or 2, dozens, =
hundreds, or more?
> Cheers!
> Harry
> -----Original Message-----
> From: fai...@li...
> [mailto:fai...@li...]On Behalf Of =
Yaroslav
> Halchenko
> Sent: Thursday, March 16, 2006 4:54 PM
> To: fai...@li...
> Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily =
report
> Dear Harry,
> Thank you for logwatch scripts -- I was looking toward composing ones
> myself but never got to them ;-)
> Wouldn't you like to see a summary like
> VSFTPD: 12 IPs baned [list of IPs may be]
> SSH: 3 IPs baned [...]
> Another possibility would be to include for each IP on how many times =
it was banned
> which would signal that bantime might be too low if you have multiple
> hits for the same IP
> If you have any spare moment, since you mastered logwatch already, =
would
> you mind writing a script to provide such statistics?
> Otherwise you just might get lengthy list of WARNINGs and I really =
think
> that statistics would be a better presentation of relevant information
--=20
.-.
=3D------------------------------ /v\ ----------------------------=3D
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
|
|
From: Benjamin D. <ben...@py...> - 2006-03-22 19:48:26
|
Rarig, Harry wrote: > I loaded up the four logwatch files you sent me and this is what happened. I'd quite like a copy too if I may! Take care, Ben |
|
From: Rarig, H. <hr...@so...> - 2006-03-22 19:56:16
Attachments:
fail2ban-log-new.tgz
|
Here they are guyz...knock yerselves out! ;-) If you are running Fedora Core 3, you can untar these directly from "/" = into the correct logwatch directory locations. Cheers! Harry -----Original Message----- From: fai...@li... [mailto:fai...@li...]On Behalf Of Benjamin Donnachie Sent: Wednesday, March 22, 2006 2:10 PM To: Yaroslav Halchenko Cc: fai...@li... Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report Rarig, Harry wrote: > I loaded up the four logwatch files you sent me and this is what = happened. I'd quite like a copy too if I may! Take care, Ben ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting = language that extends applications into web and mobile media. Attend the live = webcast and join the prime developer group breaking into this new coding = territory! http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D= 121642 _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
|
From: Benjamin D. <ben...@py...> - 2006-03-22 20:36:54
|
Rarig, Harry wrote: > Here they are guyz...knock yerselves out! ;-) > If you are running Fedora Core 3, you can untar these directly from "/" into the correct logwatch directory locations. Many thanks! I'm using the cAos distro with Logwatch 7.1 and the files needed to be installed under /etc/logwatch. Unfortunately, it keeps failing with an error about a file even though it exists: # /usr/sbin/logwatch --print --service fail2ban *** Error: There is no logfile defined. Do you have a /etc/logwatch/conf/logfiles/fail2ban.conf file ? # ls /etc/logwatch/conf/logfiles/fail2ban.conf /etc/logwatch/conf/logfiles/fail2ban.conf I should be catching up on work at the moment, so I'll look into it later. Take care, Ben |
|
From: Rarig, H. <hr...@so...> - 2006-03-22 20:42:36
|
Ben, Try=20 logwatch --debug Med --print --service fail2ban or logwatch --debug High --print --service fail2ban and see if that helps identify the root cause of your problem. Cheers! -----Original Message----- From: Benjamin Donnachie [mailto:ben...@py...] Sent: Wednesday, March 22, 2006 3:37 PM To: Rarig, Harry Cc: fai...@li... Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report Rarig, Harry wrote: > Here they are guyz...knock yerselves out! ;-) > If you are running Fedora Core 3, you can untar these directly from = "/" into the correct logwatch directory locations. Many thanks! I'm using the cAos distro with Logwatch 7.1 and the files needed to be installed under /etc/logwatch. Unfortunately, it keeps failing with an error about a file even though it exists: # /usr/sbin/logwatch --print --service fail2ban *** Error: There is no logfile defined. Do you have a /etc/logwatch/conf/logfiles/fail2ban.conf file ? # ls /etc/logwatch/conf/logfiles/fail2ban.conf /etc/logwatch/conf/logfiles/fail2ban.conf I should be catching up on work at the moment, so I'll look into it = later. Take care, Ben |
|
From: Yaroslav H. <li...@on...> - 2006-03-22 22:28:09
|
I am sorry everyone for being silent -- didn't mention that there is
such an active discussion :-)
I am running Debian unstable (why anything else if there is Debian? :-)))
with logwatch 7.1-2
I observed the weird logwatch behavior, as Ben reported, that even
though file is present under /etc/logwatch/conf/logfiles/fail2ban.conf
logwatch says that it is not there... since at the moment I was anxious
to make a rule for logwatch, not to fix logwatch problems, I just
installed fail2ban scripts system-wide.
so there seems to be a problem with 7.1 logwatch and location of the
files -- I believe they have been changing files location recently,
which probably lead to discoved by both of us bug
On Wed, 22 Mar 2006, Rarig, Harry wrote:
> Ben,
> Try
> logwatch --debug Med --print --service fail2ban
> or
> logwatch --debug High --print --service fail2ban
> and see if that helps identify the root cause of your problem.
> Cheers!
> From: Benjamin Donnachie [mailto:ben...@py...]
> Sent: Wednesday, March 22, 2006 3:37 PM
> To: Rarig, Harry
> Cc: fai...@li...
> Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report
> Rarig, Harry wrote:
> > Here they are guyz...knock yerselves out! ;-)
> > If you are running Fedora Core 3, you can untar these directly from "/" into the correct logwatch directory locations.
> Many thanks!
> I'm using the cAos distro with Logwatch 7.1 and the files needed to be
> installed under /etc/logwatch. Unfortunately, it keeps failing with an
> error about a file even though it exists:
> # /usr/sbin/logwatch --print --service fail2ban
> *** Error: There is no logfile defined. Do you have a
> /etc/logwatch/conf/logfiles/fail2ban.conf file ?
> # ls /etc/logwatch/conf/logfiles/fail2ban.conf
> /etc/logwatch/conf/logfiles/fail2ban.conf
> I should be catching up on work at the moment, so I'll look into it later.
> Take care,
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
|
|
From: Benjamin D. <ben...@py...> - 2006-03-22 23:06:19
|
Yaroslav Halchenko wrote:
> I observed the weird logwatch behavior, as Ben reported, that even
> though file is present under /etc/logwatch/conf/logfiles/fail2ban.conf
> logwatch says that it is not there... since at the moment I was anxious
> to make a rule for logwatch, not to fix logwatch problems, I just
> installed fail2ban scripts system-wide.
Ah-ha! I've not installed them system wide and it seems much happier
now! :-)
# /usr/sbin/logwatch --print --service fail2ban --range all
################### LogWatch 7.1 (11/12/05) ####################
Processing Initiated: Wed Mar 22 23:03:01 2006
Date Range Processed: all
Detail Level of Output: 5
Type of Output: unformatted
Logfiles for Host: kevin.pythagoras.no-ip.org
##################################################################
--------------------- fail2ban-messages Begin ------------------------
Banned services with Fail2Ban:
Apache:
87.74.28.38 (host-87-74-28-38.bulldogdsl.com)
SSH:
87.74.28.38 (host-87-74-28-38.bulldogdsl.com)
---------------------- fail2ban-messages End -------------------------
###################### LogWatch End #########################
Many thanks! :-)
Ben
|
|
From: Benjamin D. <ben...@py...> - 2006-03-22 23:23:16
|
Benjamin Donnachie wrote: > ################### LogWatch 7.1 (11/12/05) #################### > Processing Initiated: Wed Mar 22 23:03:01 2006 > Date Range Processed: all > Detail Level of Output: 5 > Type of Output: unformatted > Logfiles for Host: kevin.pythagoras.no-ip.org > ################################################################## > > --------------------- fail2ban-messages Begin ------------------------ > > Banned services with Fail2Ban: > Apache: > 87.74.28.38 (host-87-74-28-38.bulldogdsl.com) > SSH: > 87.74.28.38 (host-87-74-28-38.bulldogdsl.com) > > ---------------------- fail2ban-messages End ------------------------- Ah... I just realised that these entries are from several days ago and I can't persuade it to display anything more recent... I'm going to give for tonight as I should have crashed into bed ages ago... Nighty night! :-) Ben |
|
From: Yaroslav H. <li...@on...> - 2006-03-24 04:08:50
Attachments:
fail2ban.logwatch.v3.tgz
|
Hi All,
Here is a brand new version... This one should fit everyone in terms of
functionality I hope
I fixed a bug and added a bit more information to the report. Also
previous version was monitoring "INFO:" (verbose>0) level not "WARN:"(no
verbose)
HEre is a sample output (detail level 6 I believe)
--------------------- fail2ban-messages Begin ------------------------
Banned services with Fail2Ban:
SSH:
210.103.124.7 1 ban(s) 1 unban(s): 5 failures
210.14.28.59 1 ban(s) 1 unban(s): 5 failures
---------------------- fail2ban-messages End -------------------------
and here is for this month on my desktop with default detail level
(which is 5 I believe)... The list of Unmatched entries is quite
long but I think it should be this way -- I cut it after few lines to
don't abuse mailin list ;-)
################### LogWatch 7.1 (11/12/05) ####################
Processing Initiated: Thu Mar 23 23:05:29 2006
Date Range Processed: between 03/01/2006 and today
( 2006-Mar-01 / 2006-Mar-23 )
Period is day.
Detail Level of Output: 5
Type of Output: unformatted
Logfiles for Host: washoe
##################################################################
--------------------- fail2ban-messages Begin ------------------------
Banned services with Fail2Ban:
ApacheAttacks:
61.220.191.21 (61-220-191-21.HINET-IP.hinet.net) 2 ban(s) 2 unban(s)
66.34.225.186 2 ban(s) 2 unban(s)
SSH:
68.85.110.185 (c-68-85-110-185.hsd1.de.comcast.net) 1 ban(s) 1 unban(s)
59.120.70.210 (59-120-70-210.HINET-IP.hinet.net) 1 ban(s) 1 unban(s)
66.34.52.10 1 ban(s) 1 unban(s)
217.11.107.130 (fw-2.saimanet.net) 1 ban(s) 1 unban(s)
202.63.117.71 (yantra.uceou.edu) 2 ban(s) 2 unban(s)
201.224.172.195 2 ban(s) 2 unban(s)
139.142.43.29 (raq.yourlink.ca) 2 ban(s) 2 unban(s)
210.22.12.56 (sunym.gdsz.cncnet.net) 2 ban(s) 2 unban(s)
203.86.41.223 2 ban(s) 2 unban(s)
125.240.172.5 2 ban(s) 2 unban(s)
165.230.95.67 (washoe.rutgers.edu) 2 ban(s) 2 unban(s)
60.248.185.43 (60-248-185-43.HINET-IP.hinet.net) 2 ban(s) 2 unban(s)
218.146.254.184 6 ban(s) 6 unban(s)
83.14.0.230 (dwa230.internetdsl.tpnet.pl) 2 ban(s) 2 unban(s)
**Unmatched Entries**
2006-03-03 14:54:25,215 ERROR: SSH: 83.14.0.230 already in ban list
2006-03-04 04:43:10,360 ERROR: SSH: 218.146.254.184 already in ban list
2006-03-05 07:46:04,013 WARNING: is not a valid IP address
2006-03-06 14:53:55,477 ERROR: 'iptables -D INPUT -p tcp --dport http -j fail2ban-Apache
2006-03-06 14:53:55,524 ERROR: 'iptables -D INPUT -p tcp --dport http -j fail2ban-ApacheAttacks
........
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
|
|
From: Yaroslav H. <li...@on...> - 2006-03-22 22:38:32
|
=46rom the first look at logwatch code: the only place where it seems to
load conf files from /etc/logwatch (on debian at least) is here:
# Find out what logfiles are defined...
opendir(LOGFILEDIR, $BaseDir . "/default.conf/logfiles") or die $BaseDir . =
"/default.conf/logfiles/, no such direc
tory.\n";
while (defined($ThisFile =3D readdir(LOGFILEDIR))) {
unless (-d $BaseDir . "/default.conf/logfiles/" . $ThisFile) {
my $ThisLogFile =3D $ThisFile;
if ($ThisLogFile =3D~ s/\.conf$//i) {
push @AllLogFiles, $ThisLogFile;
@ReadConfigNames =3D ();
@ReadConfigValues =3D ();
@Separators =3D ();
push (@Separators, scalar(@ReadConfigNames));
ReadConfigFile("$BaseDir/default.conf/logfiles/" . $ThisFile, "");
push (@Separators, scalar(@ReadConfigNames));
ReadConfigFile("$BaseDir/dist.conf/logfiles/" . $ThisFile, "");
push (@Separators, scalar(@ReadConfigNames));
ReadConfigFile("$ConfigDir/conf/logfiles/" . $ThisFile, "");
push (@Separators, scalar(@ReadConfigNames));
ReadConfigFile("$ConfigDir/conf/override.conf", "logfiles/$ThisLog=
File");
=2E....
So, if there is no fail2ban.conf under $BaseDir . "/default.conf/logfiles/"=
, then it never gets read from /etc/logwatch seems to me... yikes...=20
On Wed, 22 Mar 2006, Rarig, Harry wrote:
> Ben,
> Try=20
> logwatch --debug Med --print --service fail2ban
> or
> logwatch --debug High --print --service fail2ban
> and see if that helps identify the root cause of your problem.
> Cheers!
> -----Original Message-----
> From: Benjamin Donnachie [mailto:ben...@py...]
> Sent: Wednesday, March 22, 2006 3:37 PM
> To: Rarig, Harry
> Cc: fai...@li...
> Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report
> Rarig, Harry wrote:
> > Here they are guyz...knock yerselves out! ;-)
> > If you are running Fedora Core 3, you can untar these directly from "/"=
into the correct logwatch directory locations.
> Many thanks!
> I'm using the cAos distro with Logwatch 7.1 and the files needed to be
> installed under /etc/logwatch. Unfortunately, it keeps failing with an
> error about a file even though it exists:
> # /usr/sbin/logwatch --print --service fail2ban
> *** Error: There is no logfile defined. Do you have a
> /etc/logwatch/conf/logfiles/fail2ban.conf file ?
> # ls /etc/logwatch/conf/logfiles/fail2ban.conf
> /etc/logwatch/conf/logfiles/fail2ban.conf
> I should be catching up on work at the moment, so I'll look into it later.
> Take care,
> Ben
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting langua=
ge
> that extends applications into web and mobile media. Attend the live webc=
ast
> and join the prime developer group breaking into this new coding territor=
y!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=110944&bid$1720&dat=121642
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--=20
.-.
=3D------------------------------ /v\ ----------------------------=3D
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
|
|
From: Rarig, H. <hr...@so...> - 2006-03-24 14:31:48
|
Yaroslav,
I installed the four logwatch files you sent and created a single vsftpd =
ban failure as shown in the logfile below. =20
fail2ban: version 0.6.1
logwatch: version 7.2.1-2
Unfortunately, the filter is not matching the VSFTPD log entries. Also, =
the filter you wrote does not work with the stock logwatch distribution =
that comes with Fedora Core 3 (5.2.2-1.FC3.3), you need to update to the =
latest version (7.2.1).
Let me know when you get a fix for this, will be happy to test it out =
for you ;-)
Cheers!
Harry
=3D=3D=3D>> Here is the logwatch report for fail2ban
[root@birch /]# logwatch --range today --print --service fail2ban
################### Logwatch 7.2.1 (01/18/06) ####################
Processing Initiated: Fri Mar 24 08:46:16 2006
Date Range Processed: today
( 2006-Mar-24 )
Period is day.
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: foobar.com
##################################################################
--------------------- fail2ban-messages Begin ------------------------
**Unmatched Entries**
2006-03-24 07:19:43,609 WARNING: is not a valid IP address
2006-03-24 07:22:03,546 WARNING: is not a valid IP address
---------------------- fail2ban-messages End -------------------------
###################### Logwatch End #########################
=3D=3D=3D>> Here is the input file to logwatch. Note the VSFTPD entries =
that are not being matched.
[root@birch /]# tail /var/log/fail2ban.log
2006-03-24 06:58:38,154 WARNING: Restoring firewall rules...
2006-03-24 07:00:15,450 WARNING: Restoring firewall rules...
2006-03-24 07:02:15,033 WARNING: Restoring firewall rules...
2006-03-24 07:02:27,387 WARNING: Restoring firewall rules...
2006-03-24 07:19:43,609 WARNING: is not a valid IP address
2006-03-24 07:21:56,681 WARNING: Restoring firewall rules...
2006-03-24 07:22:03,546 WARNING: is not a valid IP address
2006-03-24 07:23:34,844 WARNING: Restoring firewall rules...
2006-03-24 07:25:55,284 WARNING: VSFTPD: Ban (600 s) 72.9.234.170
2006-03-24 07:35:56,274 WARNING: VSFTPD: Unban 72.9.234.170
[root@birch /]#
-----Original Message-----
From: fai...@li...
[mailto:fai...@li...]On Behalf Of Yaroslav
Halchenko
Sent: Thursday, March 23, 2006 11:08 PM
To: fai...@li...
Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report
Hi All,
Here is a brand new version... This one should fit everyone in terms of
functionality I hope=20
I fixed a bug and added a bit more information to the report. Also
previous version was monitoring "INFO:" (verbose>0) level not "WARN:"(no
verbose)
HEre is a sample output (detail level 6 I believe)
--------------------- fail2ban-messages Begin ------------------------=20
Banned services with Fail2Ban:
SSH:
210.103.124.7 1 ban(s) 1 unban(s): 5 failures
210.14.28.59 1 ban(s) 1 unban(s): 5 failures
=20
---------------------- fail2ban-messages End -------------------------=20
and here is for this month on my desktop with default detail level
(which is 5 I believe)... The list of Unmatched entries is quite
long but I think it should be this way -- I cut it after few lines to
don't abuse mailin list ;-)
################### LogWatch 7.1 (11/12/05) ####################=20
Processing Initiated: Thu Mar 23 23:05:29 2006
Date Range Processed: between 03/01/2006 and today
( 2006-Mar-01 / 2006-Mar-23 )
Period is day.
Detail Level of Output: 5
Type of Output: unformatted
Logfiles for Host: washoe
##################################################################=20
=20
--------------------- fail2ban-messages Begin ------------------------=20
Banned services with Fail2Ban:
ApacheAttacks:
61.220.191.21 (61-220-191-21.HINET-IP.hinet.net) 2 ban(s) 2 =
unban(s)
66.34.225.186 2 ban(s) 2 unban(s)
SSH:
68.85.110.185 (c-68-85-110-185.hsd1.de.comcast.net) 1 ban(s) 1 =
unban(s)
59.120.70.210 (59-120-70-210.HINET-IP.hinet.net) 1 ban(s) 1 =
unban(s)
66.34.52.10 1 ban(s) 1 unban(s)
217.11.107.130 (fw-2.saimanet.net) 1 ban(s) 1 unban(s)
202.63.117.71 (yantra.uceou.edu) 2 ban(s) 2 unban(s)
201.224.172.195 2 ban(s) 2 unban(s)
139.142.43.29 (raq.yourlink.ca) 2 ban(s) 2 unban(s)
210.22.12.56 (sunym.gdsz.cncnet.net) 2 ban(s) 2 unban(s)
203.86.41.223 2 ban(s) 2 unban(s)
125.240.172.5 2 ban(s) 2 unban(s)
165.230.95.67 (washoe.rutgers.edu) 2 ban(s) 2 unban(s)
60.248.185.43 (60-248-185-43.HINET-IP.hinet.net) 2 ban(s) 2 =
unban(s)
218.146.254.184 6 ban(s) 6 unban(s)
83.14.0.230 (dwa230.internetdsl.tpnet.pl) 2 ban(s) 2 unban(s)
=20
**Unmatched Entries**
2006-03-03 14:54:25,215 ERROR: SSH: 83.14.0.230 already in ban list
2006-03-04 04:43:10,360 ERROR: SSH: 218.146.254.184 already in ban list
2006-03-05 07:46:04,013 WARNING: is not a valid IP address
2006-03-06 14:53:55,477 ERROR: 'iptables -D INPUT -p tcp --dport http =
-j fail2ban-Apache
2006-03-06 14:53:55,524 ERROR: 'iptables -D INPUT -p tcp --dport http =
-j fail2ban-ApacheAttacks
........
--=20
.-.
=3D------------------------------ /v\ ----------------------------=3D
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
|
|
From: Yaroslav H. <li...@on...> - 2006-03-24 15:56:48
Attachments:
fail2ban.logwatch.v4.tgz
|
Hi Rarig,
Thank you for testing -- damn me, again a side-effect of coding at night
-- a bug .... uff -- I was still basing my output on caught "INFO"
entries... now it MUST work! ;-) also I've added (all) entry, which is
just a sum of ban/unbans across all entries.
Example with your logs:
Banned services with Fail2Ban:
SSH:
210.103.124.7 1 ban(s) 1 unban(s): 5 failures
210.14.28.59 1 ban(s) 1 unban(s): 5 failures
165.230.95.72 4 ban(s) 4 unban(s): 5 5 5 5 failures
(all) 6 ban(s) 6 unban(s)
VSFTPD:
(all) 1 ban(s) 1 unban(s)
72.9.234.170 1 ban(s) 1 unban(s)
Example with many logs:
Banned services with Fail2Ban:
SSH:
213.76.149.226 1 ban(s) 1 unban(s)
66.34.52.10 1 ban(s) 1 unban(s)
217.11.107.130 (fw-2.saimanet.net) 1 ban(s) 1 unban(s)
202.63.117.71 (yantra.uceou.edu) 2 ban(s) 2 unban(s)
201.224.172.195 2 ban(s) 2 unban(s)
24.218.152.41 (c-24-218-152-41.hsd1.ma.comcast.net) 2 ban(s) 2 unban(s)
210.22.12.56 (sunym.gdsz.cncnet.net) 2 ban(s) 2 unban(s)
203.86.41.223 2 ban(s) 2 unban(s)
125.240.172.5 2 ban(s) 2 unban(s)
165.230.95.72 (tractatus.rutgers.edu) 4 ban(s) 4 unban(s)
217.199.176.86 (fw.ns.aswood.net) 2 ban(s) 2 unban(s)
83.239.15.116 2 ban(s) 2 unban(s)
218.146.254.184 2 ban(s) 2 unban(s)
(all) 25 ban(s) 25 unban(s)
I hope this works fine -- please provide feedback
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
|
|
From: Benjamin D. <ben...@py...> - 2006-03-25 00:01:11
|
Yaroslav Halchenko wrote:
> Thank you for testing -- damn me, again a side-effect of coding at night
> -- a bug .... uff -- I was still basing my output on caught "INFO"
> entries... now it MUST work! ;-) also I've added (all) entry, which is
> just a sum of ban/unbans across all entries.
Works perfectly - see below. Many thanks! :-)
Ben
# /usr/sbin/logwatch --service fail2ban --range all --print
################### LogWatch 7.1 (11/12/05) ####################
Processing Initiated: Fri Mar 24 22:31:12 2006
Date Range Processed: all
Detail Level of Output: 5
Type of Output: unformatted
Logfiles for Host: kevin.pythagoras.no-ip.org
##################################################################
--------------------- fail2ban-messages Begin ------------------------
Banned services with Fail2Ban:
Apache:
(all) 2 ban(s) 2 unban(s)
87.74.28.38 (host-87-74-28-38.bulldogdsl.com) 2 ban(s) 2 unban(s)
IMAP:
(all) 2 ban(s) 2 unban(s)
87.74.28.38 (host-87-74-28-38.bulldogdsl.com) 2 ban(s) 2 unban(s)
IMAPPOP:
(all) 4 ban(s) 4 unban(s)
87.74.28.38 (host-87-74-28-38.bulldogdsl.com) 4 ban(s) 4 unban(s)
SMTP:
(all) 6 ban(s) 6 unban(s)
202.63.163.82 (202-63-163-82.exatt.net) 3 ban(s) 3 unban(s)
24.151.58.194 (24-151-58-194.dhcp.nwtn.ct.charter.com) 1 ban(s)
1 unban(s)
87.74.28.38 (host-87-74-28-38.bulldogdsl.com) 1 ban(s) 1 unban(s)
196.1.176.165 (196-1-176-165.nitelnet.com) 1 ban(s) 1 unban(s)
---------------------- fail2ban-messages End -------------------------
|
|
From: Rarig, H. <hr...@so...> - 2006-03-24 18:46:35
|
Yaroslav,
Loaded up the tarball on my small server and got the logwatch output =
from the fail2ban.log input file given below.
Definitely moving in the right direction!
Just a few comments based on these results:
1) The summary line "(all)" should be "(all) 1 ban(s) 1 unban(s)"
2) The "(all)" summary line should *always* appear as the first line, =
not sometimes first, and sometimes last
3) My personal preference is a summary line like this: "Totals: 1 ban(s) =
1 unban(s)" or "All: 1 ban(s) 1 unban(s)"; it just looks a little =
cleaner to me than "(all) 1 ban(s) 1 unban(s)" ;-)
4) Nice job, now get some sleep my friend, you need it!
Harry
[root@birch /]# logwatch --range today --print --service fail2ban
################### Logwatch 7.2.1 (01/18/06) ####################
Processing Initiated: Fri Mar 24 13:28:16 2006
Date Range Processed: today
( 2006-Mar-24 )
Period is day.
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: birch.wp.comcast.net
##################################################################
--------------------- fail2ban-messages Begin ------------------------
Banned services with Fail2Ban:
VSFTPD:
(all)
72.9.234.170 (star.dnsprotect.com)
**Unmatched Entries**
2006-03-24 07:19:43,609 WARNING: is not a valid IP address
2006-03-24 07:22:03,546 WARNING: is not a valid IP address
---------------------- fail2ban-messages End -------------------------
###################### Logwatch End #########################
[root@birch /]# tail /var/log/fail2ban.log
2006-03-24 06:58:38,154 WARNING: Restoring firewall rules...
2006-03-24 07:00:15,450 WARNING: Restoring firewall rules...
2006-03-24 07:02:15,033 WARNING: Restoring firewall rules...
2006-03-24 07:02:27,387 WARNING: Restoring firewall rules...
2006-03-24 07:19:43,609 WARNING: is not a valid IP address
2006-03-24 07:21:56,681 WARNING: Restoring firewall rules...
2006-03-24 07:22:03,546 WARNING: is not a valid IP address
2006-03-24 07:23:34,844 WARNING: Restoring firewall rules...
2006-03-24 07:25:55,284 WARNING: VSFTPD: Ban (600 s) 72.9.234.170
2006-03-24 07:35:56,274 WARNING: VSFTPD: Unban 72.9.234.170
[root@birch /]#
-----Original Message-----
From: fai...@li...
[mailto:fai...@li...]On Behalf Of Yaroslav
Halchenko
Sent: Friday, March 24, 2006 10:56 AM
To: fai...@li...
Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report
Hi Rarig,
Thank you for testing -- damn me, again a side-effect of coding at night
-- a bug .... uff -- I was still basing my output on caught "INFO"
entries... now it MUST work! ;-) also I've added (all) entry, which is
just a sum of ban/unbans across all entries.=20
Example with your logs:
Banned services with Fail2Ban:
SSH:
210.103.124.7 1 ban(s) 1 unban(s): 5 failures
210.14.28.59 1 ban(s) 1 unban(s): 5 failures
165.230.95.72 4 ban(s) 4 unban(s): 5 5 5 5 failures
(all) 6 ban(s) 6 unban(s)
VSFTPD:
(all) 1 ban(s) 1 unban(s)
72.9.234.170 1 ban(s) 1 unban(s)
Example with many logs:
Banned services with Fail2Ban:
SSH:
213.76.149.226 1 ban(s) 1 unban(s)
66.34.52.10 1 ban(s) 1 unban(s)
217.11.107.130 (fw-2.saimanet.net) 1 ban(s) 1 unban(s)
202.63.117.71 (yantra.uceou.edu) 2 ban(s) 2 unban(s)
201.224.172.195 2 ban(s) 2 unban(s)
24.218.152.41 (c-24-218-152-41.hsd1.ma.comcast.net) 2 ban(s) 2 =
unban(s)
210.22.12.56 (sunym.gdsz.cncnet.net) 2 ban(s) 2 unban(s)
203.86.41.223 2 ban(s) 2 unban(s)
125.240.172.5 2 ban(s) 2 unban(s)
165.230.95.72 (tractatus.rutgers.edu) 4 ban(s) 4 unban(s)
217.199.176.86 (fw.ns.aswood.net) 2 ban(s) 2 unban(s)
83.239.15.116 2 ban(s) 2 unban(s)
218.146.254.184 2 ban(s) 2 unban(s)
(all) 25 ban(s) 25 unban(s)
I hope this works fine -- please provide feedback
--=20
.-.
=3D------------------------------ /v\ ----------------------------=3D
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
|
|
From: Yaroslav H. <li...@on...> - 2006-03-25 00:49:06
|
On Fri, 24 Mar 2006, Rarig, Harry wrote:
> Yaroslav,
> Loaded up the tarball on my small server and got the logwatch output from the fail2ban.log input file given below.
> Definitely moving in the right direction!
> Just a few comments based on these results:
> 1) The summary line "(all)" should be "(all) 1 ban(s) 1 unban(s)"
you have
Detail Level of Output: 0
please make it 5
but indeed I should probably don't print individual ips + ban/unban with
such low level of details - but only print out a summary...
> 2) The "(all)" summary line should *always* appear as the first line, not sometimes first, and sometimes last
yeah - I thought that sorting would take care about it...
> 3) My personal preference is a summary line like this: "Totals: 1 ban(s) 1 unban(s)" or "All: 1 ban(s) 1 unban(s)"; it just looks a little cleaner to me than "(all) 1 ban(s) 1 unban(s)" ;-)
it will be
VSFTPD: X ban(s) Y unban(s)
then reports per IP if detail >=5
and no "all" at all -- that would resolve 1-3 ;-)
> 4) Nice job, now get some sleep my friend, you need it!
thanks ;) it is just 8pm here ;-) I will work on this thing after put my
baby and wife asleep ;-)
> Harry
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
|
|
From: Yaroslav H. <li...@on...> - 2006-03-25 05:08:48
Attachments:
fail2ban.logwatch.v5.tgz
|
Please see fresh version attached. Hopefully this time it will satisfy
everyone's needs ;-)
Sample outputs:
Verbose (Detail >=10):
--------------------- fail2ban-messages Begin ------------------------
Banned services with Fail2Ban: Bans:Unbans
SSH: [ 6:6 ]
210.103.124.7 1:1
Failed 5 times
210.14.28.59 1:1
Failed 5 times
165.230.95.72 (tractatus.rutgers.edu) 4:4
Failed 5 5 5 5 times
VSFTPD: [ 1:1 ]
72.9.234.170 (star.dnsprotect.com) 1:1
**Unmatched Entries**
2006-03-05 18:13:24,365 WARNING: is not a valid IP address
2006-03-12 07:50:09,404 WARNING: is not a valid IP address
Regular (Detail==5)
--------------------- fail2ban-messages Begin ------------------------
Banned services with Fail2Ban: Bans:Unbans
SSH: [ 6:6 ]
210.103.124.7 1:1
210.14.28.59 1:1
165.230.95.72 (tractatus.rutgers.edu) 4:4
VSFTPD: [ 1:1 ]
72.9.234.170 (star.dnsprotect.com) 1:1
**Unmatched Entries**
2006-03-05 18:13:24,365 WARNING: is not a valid IP address
2006-03-12 07:50:09,404 WARNING: is not a valid IP address
Minimal verbosity (Detail == 0):
--------------------- fail2ban-messages Begin ------------------------
Banned services with Fail2Ban: Bans:Unbans
SSH: [ 6:6 ]
VSFTPD: [ 1:1 ]
---------------------- fail2ban-messages End -------------------------
Please mention that I excluded Unmatched Entries for Detail=0
I believe I didn't change anything in the logic so if previous one
worked for you, this one should work as well.
Enjoy
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
|
|
From: Benjamin D. <ben...@py...> - 2006-03-25 14:13:57
|
Yaroslav Halchenko wrote: > Please see fresh version attached. Hopefully this time it will satisfy > everyone's needs ;-) Works perfectly on my system! :-) Huge thank yous! Ben |
Thanks for helping keep SourceForge clean.
X