'Re: [Fail2ban-users] Log filters - guide and how-to'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fail2ban-users
Subject:    Re: [Fail2ban-users] Log filters - guide and how-to
From:       René_Berber <rberber () cactus-soft ! org>
Date:       2018-02-07 22:59:04
Message-ID: 91d19fc8-428d-c3ba-80fb-421a8bf6ab21 () cactus-soft ! org
[Download RAW message or body]

On 2/7/2018 2:14 PM, Palvelin Postmaster via Fail2ban-users wrote:

> I need an appropriate log filter to match this line type for sshd:
> 
> YYYY-MM-DD HH:MM:SS:XXXXXX+GMT hostname sshd[<process_id>]: error: PAM: \
> authentication error for <username> XXX.XXX.XXX.XXX 
> Example:
> 
> 2018-02-07 22:03:44.009330+0200  localhost sshd[1348]: error: PAM: authentication \
> error for testuser from 192.168.168.2

Have you tested with fail2ban-regex?  For example something like the
following.

$ fail2ban-regex "2018-02-07 22:03:44.009330+0200  localhost sshd[1348]:
error: PAM: authentication error for testuser from 192.168.168.2"
/etc/fail2ban/filter.d/ssh.d

does match, output:

Running tests
=============

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use         maxlines : 1
Use      datepattern : Default Detectors
Use      single line : 2018-02-07 22:03:44.009330+0200  localhost sshd[13...


Results
=======

Failregex: 1 total
> -  #) [# of hits] regular expression
> 1) [1] ^[aA]uthentication (?:failure|error|failed) for
<F-USER>.*</F-USER> from <HOST>( via \S+)?\s*(?: \[preauth\])?\s*$
`-

Ignoreregex: 0 total

Date template hits:
> - [# of hits] date format
> [1] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day[T
]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.01 sec]

> And this for Webmin:
> 
> XXX.XXX.XXX.XXX - - [DD/MMM/YYYY:HH:MM:SS +GMT "POST /session_login.cgi HTTP/X.X" \
> 401 <id> 
> Example: 
> 
> 192.168.168.2 - - [04/Feb/2018:23:01:52 +0200] "POST /session_login.cgi HTTP/1.1" \
> 401 2333 
> So, here I need to match 'POST /session_login.cgi HTTP' followed by '401'

This one doesn't match anything in the current webmin-auth.conf; so
let's try our own:

$ fail2ban-regex "192.168.168.2 - - [04/Feb/2018:23:01:52 +0200] \"POST
/session_login.cgi HTTP/1.1\" 401 2333" "^<HOST> - - .*\"POST
.*session_login.cgi.* 401 .*$"

Running tests
=============

Use   failregex line : ^<HOST> - - .*"POST .*session_login.cgi.* 401 .*$
Use      single line : 192.168.168.2 - - [04/Feb/2018:23:01:52 +0200] "PO...


Results
=======

Failregex: 1 total
> -  #) [# of hits] regular expression
> 1) [1] ^<HOST> - - .*"POST .*session_login.cgi.* 401 .*$
`-

Ignoreregex: 0 total

Date template hits:
> - [# of hits] date format
> [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
> ]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.20 sec]

Hope this helps.
-- 
René Berber

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic