From: Dionisios K. <ad...@vo...> - 2012-11-25 18:20:02
|
Hello, i want to make fail2ban monitor webmin. 1) Known user, wrong password Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser= rhost=123.123.123.123 user=root Nov 25 20:05:29 machine.host webmin[9172]: Invalid login as root from 123.123.123.123 2) Unknown user. Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as someunknownuser from 123.123.123.123 Is possible to help me with the correct regex? You may also add it as configuration inside fail2ban as webmin is popular. Sincerely, |
From: Fosforo <fo...@gm...> - 2012-11-25 18:49:55
|
didnt test it. jail.conf: [perl] enabled = true port = ???? filter = perl logpath = /var/log/xxxxxx maxretry = 6 [webmin] enabled = true port = ???? filter = webmin logpath = /var/log/xxxxxx maxretry = 6 > Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser=rhost=123.123.123.123 user=root filter.d\perl.conf failregex = authentication failure.*rhost=<HOST> user=.* > Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as someunknownuser from 123.123.123.123 filter.d\webmin.conf failregex = Non-existent login.*from <HOST> -- []s Fosforo ------------------------------------------------------------- "Se eu tiver oito horas pra cortar uma arvore, passarei seis afiando meu machado." -Abraham Lincoln ------------------------------------------------------------- On Sun, Nov 25, 2012 at 4:19 PM, Dionisios K. <ad...@vo...> wrote: > Hello, i want to make fail2ban monitor webmin. > > 1) Known user, wrong password > > Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): > authentication failure; logname= uid=0 euid=0 tty=10000 ruser= > rhost=123.123.123.123 user=root > Nov 25 20:05:29 machine.host webmin[9172]: Invalid login as root from > 123.123.123.123 > > 2) Unknown user. > Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as > someunknownuser from 123.123.123.123 > > Is possible to help me with the correct regex? > > You may also add it as configuration inside fail2ban as webmin is popular. > > Sincerely, > > ------------------------------------------------------------------------------ > Monitor your physical, virtual and cloud infrastructure from a single > web console. Get in-depth insight into apps, servers, databases, vmware, > SAP, cloud infrastructure, etc. Download 30-day Free Trial. > Pricing starts from $795 for 25 servers or applications! > http://p.sf.net/sfu/zoho_dev2dev_nov > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Dionisios K. <ad...@vo...> - 2012-11-25 19:11:33
|
ConfigParser.MissingSectionHeaderError: File contains no section headers. file: /etc/fail2ban/filter.d/perl.conf, line: 1 'failregex = authentication failure.*rhost=<HOST> user=.*\n' On Sun, Nov 25, 2012 at 8:49 PM, Fosforo <fo...@gm...> wrote: > didnt test it. > > jail.conf: > > [perl] > enabled = true > port = ???? > filter = perl > logpath = /var/log/xxxxxx > maxretry = 6 > > [webmin] > enabled = true > port = ???? > filter = webmin > logpath = /var/log/xxxxxx > maxretry = 6 > > > >> Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser=rhost=123.123.123.123 user=root > > filter.d\perl.conf > > failregex = authentication failure.*rhost=<HOST> user=.* > > >> Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as someunknownuser from 123.123.123.123 > > filter.d\webmin.conf > > failregex = Non-existent login.*from <HOST> > > > -- > []s Fosforo > ------------------------------------------------------------- > "Se eu tiver oito horas pra cortar uma arvore, passarei seis afiando > meu machado." > -Abraham Lincoln > ------------------------------------------------------------- > > > On Sun, Nov 25, 2012 at 4:19 PM, Dionisios K. <ad...@vo...> wrote: >> Hello, i want to make fail2ban monitor webmin. >> >> 1) Known user, wrong password >> >> Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): >> authentication failure; logname= uid=0 euid=0 tty=10000 ruser= >> rhost=123.123.123.123 user=root >> Nov 25 20:05:29 machine.host webmin[9172]: Invalid login as root from >> 123.123.123.123 >> >> 2) Unknown user. >> Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as >> someunknownuser from 123.123.123.123 >> >> Is possible to help me with the correct regex? >> >> You may also add it as configuration inside fail2ban as webmin is popular. >> >> Sincerely, >> >> ------------------------------------------------------------------------------ >> Monitor your physical, virtual and cloud infrastructure from a single >> web console. Get in-depth insight into apps, servers, databases, vmware, >> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >> Pricing starts from $795 for 25 servers or applications! >> http://p.sf.net/sfu/zoho_dev2dev_nov >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Fosforo <fo...@gm...> - 2012-11-25 19:17:09
|
you should see the other rule files to figure out the correct syntax/headers. -- []s Fosforo ------------------------------------------------------------- "Se eu tiver oito horas pra cortar uma arvore, passarei seis afiando meu machado." -Abraham Lincoln ------------------------------------------------------------- On Sun, Nov 25, 2012 at 5:11 PM, Dionisios K. <ad...@vo...> wrote: > ConfigParser.MissingSectionHeaderError: File contains no section headers. > file: /etc/fail2ban/filter.d/perl.conf, line: 1 > 'failregex = authentication failure.*rhost=<HOST> user=.*\n' > > On Sun, Nov 25, 2012 at 8:49 PM, Fosforo <fo...@gm...> wrote: >> didnt test it. >> >> jail.conf: >> >> [perl] >> enabled = true >> port = ???? >> filter = perl >> logpath = /var/log/xxxxxx >> maxretry = 6 >> >> [webmin] >> enabled = true >> port = ???? >> filter = webmin >> logpath = /var/log/xxxxxx >> maxretry = 6 >> >> >> >>> Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser=rhost=123.123.123.123 user=root >> >> filter.d\perl.conf >> >> failregex = authentication failure.*rhost=<HOST> user=.* >> >> >>> Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as someunknownuser from 123.123.123.123 >> >> filter.d\webmin.conf >> >> failregex = Non-existent login.*from <HOST> >> >> >> -- >> []s Fosforo >> ------------------------------------------------------------- >> "Se eu tiver oito horas pra cortar uma arvore, passarei seis afiando >> meu machado." >> -Abraham Lincoln >> ------------------------------------------------------------- >> >> >> On Sun, Nov 25, 2012 at 4:19 PM, Dionisios K. <ad...@vo...> wrote: >>> Hello, i want to make fail2ban monitor webmin. >>> >>> 1) Known user, wrong password >>> >>> Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): >>> authentication failure; logname= uid=0 euid=0 tty=10000 ruser= >>> rhost=123.123.123.123 user=root >>> Nov 25 20:05:29 machine.host webmin[9172]: Invalid login as root from >>> 123.123.123.123 >>> >>> 2) Unknown user. >>> Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as >>> someunknownuser from 123.123.123.123 >>> >>> Is possible to help me with the correct regex? >>> >>> You may also add it as configuration inside fail2ban as webmin is popular. >>> >>> Sincerely, >>> >>> ------------------------------------------------------------------------------ >>> Monitor your physical, virtual and cloud infrastructure from a single >>> web console. Get in-depth insight into apps, servers, databases, vmware, >>> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >>> Pricing starts from $795 for 25 servers or applications! >>> http://p.sf.net/sfu/zoho_dev2dev_nov >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Dionisios K. <ad...@vo...> - 2012-11-25 19:19:23
|
For perl authentication I've used the pam-common and it seems to work. As for the other, i will look into it. :) On Sun, Nov 25, 2012 at 9:16 PM, Fosforo <fo...@gm...> wrote: > you should see the other rule files to figure out the correct syntax/headers. > > -- > []s Fosforo > ------------------------------------------------------------- > "Se eu tiver oito horas pra cortar uma arvore, passarei seis afiando > meu machado." > -Abraham Lincoln > ------------------------------------------------------------- > > > On Sun, Nov 25, 2012 at 5:11 PM, Dionisios K. <ad...@vo...> wrote: >> ConfigParser.MissingSectionHeaderError: File contains no section headers. >> file: /etc/fail2ban/filter.d/perl.conf, line: 1 >> 'failregex = authentication failure.*rhost=<HOST> user=.*\n' >> >> On Sun, Nov 25, 2012 at 8:49 PM, Fosforo <fo...@gm...> wrote: >>> didnt test it. >>> >>> jail.conf: >>> >>> [perl] >>> enabled = true >>> port = ???? >>> filter = perl >>> logpath = /var/log/xxxxxx >>> maxretry = 6 >>> >>> [webmin] >>> enabled = true >>> port = ???? >>> filter = webmin >>> logpath = /var/log/xxxxxx >>> maxretry = 6 >>> >>> >>> >>>> Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser=rhost=123.123.123.123 user=root >>> >>> filter.d\perl.conf >>> >>> failregex = authentication failure.*rhost=<HOST> user=.* >>> >>> >>>> Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as someunknownuser from 123.123.123.123 >>> >>> filter.d\webmin.conf >>> >>> failregex = Non-existent login.*from <HOST> >>> >>> >>> -- >>> []s Fosforo >>> ------------------------------------------------------------- >>> "Se eu tiver oito horas pra cortar uma arvore, passarei seis afiando >>> meu machado." >>> -Abraham Lincoln >>> ------------------------------------------------------------- >>> >>> >>> On Sun, Nov 25, 2012 at 4:19 PM, Dionisios K. <ad...@vo...> wrote: >>>> Hello, i want to make fail2ban monitor webmin. >>>> >>>> 1) Known user, wrong password >>>> >>>> Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): >>>> authentication failure; logname= uid=0 euid=0 tty=10000 ruser= >>>> rhost=123.123.123.123 user=root >>>> Nov 25 20:05:29 machine.host webmin[9172]: Invalid login as root from >>>> 123.123.123.123 >>>> >>>> 2) Unknown user. >>>> Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as >>>> someunknownuser from 123.123.123.123 >>>> >>>> Is possible to help me with the correct regex? >>>> >>>> You may also add it as configuration inside fail2ban as webmin is popular. >>>> >>>> Sincerely, >>>> >>>> ------------------------------------------------------------------------------ >>>> Monitor your physical, virtual and cloud infrastructure from a single >>>> web console. Get in-depth insight into apps, servers, databases, vmware, >>>> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >>>> Pricing starts from $795 for 25 servers or applications! >>>> http://p.sf.net/sfu/zoho_dev2dev_nov >>>> _______________________________________________ >>>> Fail2ban-users mailing list >>>> Fai...@li... >>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Dionisios K. <ad...@vo...> - 2012-11-25 19:28:10
|
I copied the headers from another file and i can confirm that the webmin rule works :) Thanks! On Sun, Nov 25, 2012 at 9:18 PM, Dionisios K. <ad...@vo...> wrote: > For perl authentication I've used the pam-common and it seems to work. > > As for the other, i will look into it. :) > > On Sun, Nov 25, 2012 at 9:16 PM, Fosforo <fo...@gm...> wrote: >> you should see the other rule files to figure out the correct syntax/headers. >> >> -- >> []s Fosforo >> ------------------------------------------------------------- >> "Se eu tiver oito horas pra cortar uma arvore, passarei seis afiando >> meu machado." >> -Abraham Lincoln >> ------------------------------------------------------------- >> >> >> On Sun, Nov 25, 2012 at 5:11 PM, Dionisios K. <ad...@vo...> wrote: >>> ConfigParser.MissingSectionHeaderError: File contains no section headers. >>> file: /etc/fail2ban/filter.d/perl.conf, line: 1 >>> 'failregex = authentication failure.*rhost=<HOST> user=.*\n' >>> >>> On Sun, Nov 25, 2012 at 8:49 PM, Fosforo <fo...@gm...> wrote: >>>> didnt test it. >>>> >>>> jail.conf: >>>> >>>> [perl] >>>> enabled = true >>>> port = ???? >>>> filter = perl >>>> logpath = /var/log/xxxxxx >>>> maxretry = 6 >>>> >>>> [webmin] >>>> enabled = true >>>> port = ???? >>>> filter = webmin >>>> logpath = /var/log/xxxxxx >>>> maxretry = 6 >>>> >>>> >>>> >>>>> Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser=rhost=123.123.123.123 user=root >>>> >>>> filter.d\perl.conf >>>> >>>> failregex = authentication failure.*rhost=<HOST> user=.* >>>> >>>> >>>>> Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as someunknownuser from 123.123.123.123 >>>> >>>> filter.d\webmin.conf >>>> >>>> failregex = Non-existent login.*from <HOST> >>>> >>>> >>>> -- >>>> []s Fosforo >>>> ------------------------------------------------------------- >>>> "Se eu tiver oito horas pra cortar uma arvore, passarei seis afiando >>>> meu machado." >>>> -Abraham Lincoln >>>> ------------------------------------------------------------- >>>> >>>> >>>> On Sun, Nov 25, 2012 at 4:19 PM, Dionisios K. <ad...@vo...> wrote: >>>>> Hello, i want to make fail2ban monitor webmin. >>>>> >>>>> 1) Known user, wrong password >>>>> >>>>> Nov 25 20:05:27 machine.host perl[9172]: pam_unix(webmin:auth): >>>>> authentication failure; logname= uid=0 euid=0 tty=10000 ruser= >>>>> rhost=123.123.123.123 user=root >>>>> Nov 25 20:05:29 machine.host webmin[9172]: Invalid login as root from >>>>> 123.123.123.123 >>>>> >>>>> 2) Unknown user. >>>>> Nov 25 20:13:40 machine.host webmin[9242]: Non-existent login as >>>>> someunknownuser from 123.123.123.123 >>>>> >>>>> Is possible to help me with the correct regex? >>>>> >>>>> You may also add it as configuration inside fail2ban as webmin is popular. >>>>> >>>>> Sincerely, >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Monitor your physical, virtual and cloud infrastructure from a single >>>>> web console. Get in-depth insight into apps, servers, databases, vmware, >>>>> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >>>>> Pricing starts from $795 for 25 servers or applications! >>>>> http://p.sf.net/sfu/zoho_dev2dev_nov >>>>> _______________________________________________ >>>>> Fail2ban-users mailing list >>>>> Fai...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users |