RE: [Fail2ban-users] Add fail2ban to your logwatch daily report

[Rarig, H. <hr...@so...>]

Yikes!

I loaded up the four logwatch files you sent me and this is what =
happened.

[root@birch logwatch]# logwatch --range Today  --print --service =
fail2ban
"dates" is not defined in %Logwatch::EXPORT_TAGS at =
/etc/log.d/scripts/shared/applyeurodate line 18
        main::BEGIN() called at /usr/lib/perl5/5.8.5/Carp.pm line 18
        eval {...} called at /usr/lib/perl5/5.8.5/Carp.pm line 18
Can't continue after import errors at =
/etc/log.d/scripts/shared/applyeurodate line 18
BEGIN failed--compilation aborted at =
/etc/log.d/scripts/shared/applyeurodate line 18.
[root@birch logwatch]#

I am running Fedora Core 3 using logwatch-5.2.2-1.FC3.3.

Based on the tar files you sent me, it appears you are running Fedora =
Core 4?

Harry


-----Original Message-----
From: fai...@li...
[mailto:fai...@li...]On Behalf Of Yaroslav
Halchenko
Sent: Saturday, March 18, 2006 1:30 AM
To: fai...@li...
Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report


Dear Rarig, Harry,

Thanks once again for triggering logwatch move ;-)
Here is my version based on yours (see attached). The differences are:

1. rewritten applyeurodate to be in concordance with other apply*date
   and use logwatch time filter regex creation facility (to faciliate
   such definitions like "between X and Y"
  =20
2. generates a summary of banned ips including the numbers (in the
   detailed view) after how many attempts each time it was banned... so
   on my laptop it looked like:

 --------------------- fail2ban-messages Begin ------------------------=20

 Banned services with Fail2Ban:
    SSH:
        165.230.95.72 (tractatus.rutgers.edu): 5 failures
=20
 ---------------------- fail2ban-messages End -------------------------=20
and on my mailbox server for yesterday it looks like
 --------------------- fail2ban-messages Begin ------------------------=20

 Banned services with Fail2Ban:
    ApacheAttacks:
        66.34.225.186: 2 failures
    SSH:
        202.63.117.71 (yantra.uceou.edu): 5 7 failures
=20
 ---------------------- fail2ban-messages End -------------------------=20

sorry for no comma in the list of number of failures.

 sideeffect: different installation path for the config scripts -- I
 just decided to mess with system wide config so it makes it easier to
 provide to be included in logwatch.
 Also it was tested only on logwatch 7.1-2

Please let me know what you think before I submit a request to logwatch
maintainer (in debian) or upstream to have those rules included to be
used by everyone else

NOTE: I didn't test it thouroughly yet -- thus more sideeffects
possible... I am installing it on a few nodes to see how it will behave
;-)

On Thu, 16 Mar 2006, Rarig, Harry wrote:

> Yaroslav,

> Yeah, the thought crossed my mind that maybe I ought to do a little =
more than just "cat" the fail2ban.log file...;-).  I certainly would =
enjoy doing this sometime in the future, but right now my stack is =
overflowing big time with too many other commitments!

> On the other hand, my experience has been that very few robots are =
attacking my site via FTP, and when they do the "magic" in vsftpd seems =
to do a good job regulating the frequency of the attempts.  However, =
once they get past this, the 25 authentications per second dictionary =
attacks that were plaguing me in the past have completely ceased now =
that fail2ban is guarding the entrance to the castle!  (Nice work guys!)

> As far as SSH goes, I am using the iptables "recent" option to manage =
that (see http://olivier.sessink.nl/publications/blacklisting/index.html =
[Note: replace "extern_in" with "INPUT" and "extern-out" with =
"OUTPUT"]).  Using this, the banned IPs show up automatically in the =
logwatch default ssh and kernel reports.

> Would be interested in hearing some anecdotal reports from the field =
about how many entries other subscribers to this mailing list are seeing =
in their fail2ban.log files...?? =20

> Are entries in your fail2ban.log file on the order of 1 or 2, dozens, =
hundreds, or more?

> Cheers!

> Harry

> -----Original Message-----
> From: fai...@li...
> [mailto:fai...@li...]On Behalf Of =
Yaroslav
> Halchenko
> Sent: Thursday, March 16, 2006 4:54 PM
> To: fai...@li...
> Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily =
report


> Dear Harry,

> Thank you for logwatch scripts -- I was looking toward composing ones
> myself  but never got to them ;-)

> Wouldn't you like to see a summary like

>   VSFTPD:  12 IPs baned [list of IPs may be]
>      SSH:   3 IPs baned [...]

> Another possibility would be to include for each IP on how many times =
it was banned
> which would signal that bantime might be too low if you have multiple
> hits for the same IP

> If you have any spare moment, since you mastered logwatch already, =
would
> you mind writing a script to provide such statistics?

> Otherwise you just might get lengthy list of WARNINGs and I really =
think
> that statistics would be a better presentation of relevant information
--=20
                                  .-.
=3D------------------------------   /v\  ----------------------------=3D
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]