Menu
▾
▴
[Fail2ban-users] Re: Bug#359177: logwatch: fail2ban logwatch scripts
|
From: Yaroslav H. <de...@on...> - 2006-05-08 18:45:17
|
Hi Willi, Sorry for the delay... work work work ;-) Please get a fresh version http://www.onerussian.com/Linux/fail2ban/logwatch/fail2ban.logwatch.7x.debi= an.20060508-1.tgz I adjusted parsing script to take care about those cases. Now with default detail level (5) those lines are summarized into: --------------------- fail2ban-messages Begin ------------------------=20 Banned services with Fail2Ban: Bans:Unbans Exim4: [ 0:1 ] 60.50.161.218 0:1 =20 SSH: [ 1:1 ] 192.168.22.27 1:1 =20 =20 13 faulty iptables invocation(s) 1 fail2ban rules reinitialization(s)=20 ---------------------- fail2ban-messages End -------------------------=20 On high detail level (>5) we get more information: --------------------- fail2ban-messages Begin ------------------------=20 Banned services with Fail2Ban: Bans:Unbans Exim4: [ 0:1 ] 60.50.161.218 0:1 =20 SSH: [ 1:1 ] 192.168.22.27 1:1 =20 Failed 5 7 times 1 Duplicate Ban attempts 1 ReBans due to rules reinitilizations =20 13 faulty iptables invocation(s): 2006-05-08 14:22:58,554 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' = returned 256 2006-05-08 14:22:58,555 ERROR: Execution of command 'iptables -L INPUT | g= rep -q fail2ban-SSH' failed 2006-05-08 14:22:58,683 ERROR: 'iptables -D INPUT -p tcp --dport http -j f= ail2ban-ApacheAttacks 2006-05-08 14:22:58,731 ERROR: 'iptables -D INPUT -p tcp --dport http -j f= ail2ban-ApacheAttacks 2006-05-08 14:22:58,778 ERROR: 'iptables -D INPUT -p tcp --dport http -j f= ail2ban-ApacheAttacks 2006-05-08 14:22:58,824 ERROR: 'iptables -D INPUT -p tcp --dport http -j f= ail2ban-ApacheAttacks 2006-05-08 14:22:58,918 ERROR: 'iptables -D INPUT -p tcp --dport http -j f= ail2ban-Apache 2006-05-08 14:22:58,965 ERROR: 'iptables -D INPUT -p tcp --dport http -j f= ail2ban-Apache 2006-05-08 14:22:59,011 ERROR: 'iptables -D INPUT -p tcp --dport http -j f= ail2ban-Apache 2006-05-08 14:22:59,059 ERROR: 'iptables -D INPUT -p tcp --dport http -j f= ail2ban-Apache 2006-05-08 14:22:59,107 ERROR: 'iptables -D INPUT -p tcp --dport http -j f= ail2ban-Apache 2006-05-08 14:22:59,247 ERROR: 'iptables -D INPUT -p tcp --dport http -j f= ail2ban-ApacheAttacksGB 2006-05-08 14:22:59,280 ERROR: 'iptables -D fail2ban-SSH -s '192.168.22.27= ' -j DROP' returned 256 2006-05-08 14:22:59,326 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fa= il2ban-SSH =20 1 fail2ban rules reinitialization(s)=20 ---------------------- fail2ban-messages End -------------------------=20 I hope this would be better ;-) Thank you in advance On Tue, 02 May 2006, Willi Mann wrote: > Yaroslav Halchenko schrieb: > >Hi Willi, > >Sorry for a slight delay. I reshaped the files a bit (corrected > >attributions and added licensing statement in both scripts, left config > >files without explicit licensing statements) > >I hope they are ok now > Yes, thanks. Available from > deb http://pkg-logwatch.alioth.debian.org/apt sid main > or http://pkg-logwatch.alioth.debian.org/apt/pool/main/l/logwatch/logwatc= h_7.3-0test2.2_all.deb > There are some unmatched entries, which should be ignored or reported: > 5 ERROR: Execution of command 'iptables -L INPUT | grep -q fail2ban-= SSH' failed > 5 ERROR: 'iptables -D fail2ban-SSH -s 'a.b.c.d' -j DROP' returned 2= 56 > 5 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH > 5 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' returned 256 > 5 ERROR: SSH: a.b.c.d already in ban list > 4 WARNING: #1 reinitialization of firewalls > 1 WARNING: #2 reinitialization of firewalls > 5 WARNING: is not a valid IP address > 5 WARNING: SSH: ReBan a.b.c.d > (the first number is the number of occurences when I used range all on on= e machine.) > Can you add the code to handle them? I'm not which to ignore and which to= handle. > Willi --=20 .-. =3D------------------------------ /v\ ----------------------------=3D Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |