From: Rarig, H. <hr...@so...> - 2006-03-24 14:31:48
|
Yaroslav, I installed the four logwatch files you sent and created a single vsftpd = ban failure as shown in the logfile below. =20 fail2ban: version 0.6.1 logwatch: version 7.2.1-2 Unfortunately, the filter is not matching the VSFTPD log entries. Also, = the filter you wrote does not work with the stock logwatch distribution = that comes with Fedora Core 3 (5.2.2-1.FC3.3), you need to update to the = latest version (7.2.1). Let me know when you get a fix for this, will be happy to test it out = for you ;-) Cheers! Harry =3D=3D=3D>> Here is the logwatch report for fail2ban [root@birch /]# logwatch --range today --print --service fail2ban ################### Logwatch 7.2.1 (01/18/06) #################### Processing Initiated: Fri Mar 24 08:46:16 2006 Date Range Processed: today ( 2006-Mar-24 ) Period is day. Detail Level of Output: 0 Type of Output: unformatted Logfiles for Host: foobar.com ################################################################## --------------------- fail2ban-messages Begin ------------------------ **Unmatched Entries** 2006-03-24 07:19:43,609 WARNING: is not a valid IP address 2006-03-24 07:22:03,546 WARNING: is not a valid IP address ---------------------- fail2ban-messages End ------------------------- ###################### Logwatch End ######################### =3D=3D=3D>> Here is the input file to logwatch. Note the VSFTPD entries = that are not being matched. [root@birch /]# tail /var/log/fail2ban.log 2006-03-24 06:58:38,154 WARNING: Restoring firewall rules... 2006-03-24 07:00:15,450 WARNING: Restoring firewall rules... 2006-03-24 07:02:15,033 WARNING: Restoring firewall rules... 2006-03-24 07:02:27,387 WARNING: Restoring firewall rules... 2006-03-24 07:19:43,609 WARNING: is not a valid IP address 2006-03-24 07:21:56,681 WARNING: Restoring firewall rules... 2006-03-24 07:22:03,546 WARNING: is not a valid IP address 2006-03-24 07:23:34,844 WARNING: Restoring firewall rules... 2006-03-24 07:25:55,284 WARNING: VSFTPD: Ban (600 s) 72.9.234.170 2006-03-24 07:35:56,274 WARNING: VSFTPD: Unban 72.9.234.170 [root@birch /]# -----Original Message----- From: fai...@li... [mailto:fai...@li...]On Behalf Of Yaroslav Halchenko Sent: Thursday, March 23, 2006 11:08 PM To: fai...@li... Subject: Re: [Fail2ban-users] Add fail2ban to your logwatch daily report Hi All, Here is a brand new version... This one should fit everyone in terms of functionality I hope=20 I fixed a bug and added a bit more information to the report. Also previous version was monitoring "INFO:" (verbose>0) level not "WARN:"(no verbose) HEre is a sample output (detail level 6 I believe) --------------------- fail2ban-messages Begin ------------------------=20 Banned services with Fail2Ban: SSH: 210.103.124.7 1 ban(s) 1 unban(s): 5 failures 210.14.28.59 1 ban(s) 1 unban(s): 5 failures =20 ---------------------- fail2ban-messages End -------------------------=20 and here is for this month on my desktop with default detail level (which is 5 I believe)... The list of Unmatched entries is quite long but I think it should be this way -- I cut it after few lines to don't abuse mailin list ;-) ################### LogWatch 7.1 (11/12/05) ####################=20 Processing Initiated: Thu Mar 23 23:05:29 2006 Date Range Processed: between 03/01/2006 and today ( 2006-Mar-01 / 2006-Mar-23 ) Period is day. Detail Level of Output: 5 Type of Output: unformatted Logfiles for Host: washoe ##################################################################=20 =20 --------------------- fail2ban-messages Begin ------------------------=20 Banned services with Fail2Ban: ApacheAttacks: 61.220.191.21 (61-220-191-21.HINET-IP.hinet.net) 2 ban(s) 2 = unban(s) 66.34.225.186 2 ban(s) 2 unban(s) SSH: 68.85.110.185 (c-68-85-110-185.hsd1.de.comcast.net) 1 ban(s) 1 = unban(s) 59.120.70.210 (59-120-70-210.HINET-IP.hinet.net) 1 ban(s) 1 = unban(s) 66.34.52.10 1 ban(s) 1 unban(s) 217.11.107.130 (fw-2.saimanet.net) 1 ban(s) 1 unban(s) 202.63.117.71 (yantra.uceou.edu) 2 ban(s) 2 unban(s) 201.224.172.195 2 ban(s) 2 unban(s) 139.142.43.29 (raq.yourlink.ca) 2 ban(s) 2 unban(s) 210.22.12.56 (sunym.gdsz.cncnet.net) 2 ban(s) 2 unban(s) 203.86.41.223 2 ban(s) 2 unban(s) 125.240.172.5 2 ban(s) 2 unban(s) 165.230.95.67 (washoe.rutgers.edu) 2 ban(s) 2 unban(s) 60.248.185.43 (60-248-185-43.HINET-IP.hinet.net) 2 ban(s) 2 = unban(s) 218.146.254.184 6 ban(s) 6 unban(s) 83.14.0.230 (dwa230.internetdsl.tpnet.pl) 2 ban(s) 2 unban(s) =20 **Unmatched Entries** 2006-03-03 14:54:25,215 ERROR: SSH: 83.14.0.230 already in ban list 2006-03-04 04:43:10,360 ERROR: SSH: 218.146.254.184 already in ban list 2006-03-05 07:46:04,013 WARNING: is not a valid IP address 2006-03-06 14:53:55,477 ERROR: 'iptables -D INPUT -p tcp --dport http = -j fail2ban-Apache 2006-03-06 14:53:55,524 ERROR: 'iptables -D INPUT -p tcp --dport http = -j fail2ban-ApacheAttacks ........ --=20 .-. =3D------------------------------ /v\ ----------------------------=3D Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |