[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: Re: [Fail2ban-users] Log filters - guide and how-to
From: René_Berber <rberber () cactus-soft ! org>
Date: 2018-02-07 22:59:04
Message-ID: 91d19fc8-428d-c3ba-80fb-421a8bf6ab21 () cactus-soft ! org
[Download RAW message or body]
On 2/7/2018 2:14 PM, Palvelin Postmaster via Fail2ban-users wrote:
> I need an appropriate log filter to match this line type for sshd:
>
> YYYY-MM-DD HH:MM:SS:XXXXXX+GMT hostname sshd[<process_id>]: error: PAM: \
> authentication error for <username> XXX.XXX.XXX.XXX
> Example:
>
> 2018-02-07 22:03:44.009330+0200 localhost sshd[1348]: error: PAM: authentication \
> error for testuser from 192.168.168.2
Have you tested with fail2ban-regex? For example something like the
following.
$ fail2ban-regex "2018-02-07 22:03:44.009330+0200 localhost sshd[1348]:
error: PAM: authentication error for testuser from 192.168.168.2"
/etc/fail2ban/filter.d/ssh.d
does match, output:
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : Default Detectors
Use single line : 2018-02-07 22:03:44.009330+0200 localhost sshd[13...
Results
=======
Failregex: 1 total
> - #) [# of hits] regular expression
> 1) [1] ^[aA]uthentication (?:failure|error|failed) for
<F-USER>.*</F-USER> from <HOST>( via \S+)?\s*(?: \[preauth\])?\s*$
`-
Ignoreregex: 0 total
Date template hits:
> - [# of hits] date format
> [1] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day[T
]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.01 sec]
> And this for Webmin:
>
> XXX.XXX.XXX.XXX - - [DD/MMM/YYYY:HH:MM:SS +GMT "POST /session_login.cgi HTTP/X.X" \
> 401 <id>
> Example:
>
> 192.168.168.2 - - [04/Feb/2018:23:01:52 +0200] "POST /session_login.cgi HTTP/1.1" \
> 401 2333
> So, here I need to match 'POST /session_login.cgi HTTP' followed by '401'
This one doesn't match anything in the current webmin-auth.conf; so
let's try our own:
$ fail2ban-regex "192.168.168.2 - - [04/Feb/2018:23:01:52 +0200] \"POST
/session_login.cgi HTTP/1.1\" 401 2333" "^<HOST> - - .*\"POST
.*session_login.cgi.* 401 .*$"
Running tests
=============
Use failregex line : ^<HOST> - - .*"POST .*session_login.cgi.* 401 .*$
Use single line : 192.168.168.2 - - [04/Feb/2018:23:01:52 +0200] "PO...
Results
=======
Failregex: 1 total
> - #) [# of hits] regular expression
> 1) [1] ^<HOST> - - .*"POST .*session_login.cgi.* 401 .*$
`-
Ignoreregex: 0 total
Date template hits:
> - [# of hits] date format
> [1] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
> ]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.20 sec]
Hope this helps.
--
René Berber
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic