LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Fail2ban: detect changes in log file in NFS directory?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-31-2014, 09:02 AM   #1
drdidji
LQ Newbie
 
Registered: Oct 2014
Posts: 6

Rep: Reputation: Disabled
Fail2ban: detect changes in log file in NFS directory?

hello,
I have a problem with fail2ban v0.8.6 on Debian 3.2.60-1+deb7u3 x86_64
I created a rule under jail.conf to block the IP addresses that it repeats more than 10 times in the 600s range in a log file client_ip.log
Code:
[MyRule]

enabled = true
port = http,https
filter = rule
protocol = tcp
logpath = /data/client_ip.log
maxretry = 3
findtime = 600
bantime = 600
and I created the filter "rule" in filter.d

Code:
failregex = .+?Ip: <HOST>
ignoreregex =
Example client_ip.log file ( fail2ban should block the ip 192.168.77.100 )
Code:
[2014-10-16 10:37:10] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.20; proId:22447[] []
[2014-10-16 10:38:03] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:38:04] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:38:18] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:38:19] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:38:35] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.20; proId:20362 [] []
[2014-10-16 10:39:06] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:40:14] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:40:26] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:40:49] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.20; proId:20362 [] []
the problem is that this rule only works one time and I have to reboot every time fail2ban to block the new IPs

Thank you for your help.
 
Old 10-31-2014, 10:09 AM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
maxretry should be 10.

What happens if you test it manually with
Code:
fail2ban-regex /data/client_ip.log /etc/fail2ban/filter.d/rule.conf
 
Old 10-31-2014, 10:13 AM   #3
drdidji
LQ Newbie
 
Registered: Oct 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Code:
    192.168.77.100 (Fri Oct 31 14:20:57 2014)
    192.168.77.100 (Fri Oct 31 14:20:59 2014)
    192.168.77.100 (Fri Oct 31 14:21:01 2014)
    192.168.77.200 (Fri Oct 31 14:21:05 2014)
    192.168.70.20 (Fri Oct 31 15:28:27 2014)
    192.168.70.21 (Fri Oct 31 15:28:35 2014)
    192.168.70.20 (Fri Oct 31 15:32:54 2014)
    192.168.77.100 (Fri Oct 31 15:51:03 2014)
    192.168.77.100 (Fri Oct 31 15:51:05 2014)
    192.168.77.100 (Fri Oct 31 15:51:07 2014)
    192.168.77.100 (Fri Oct 31 15:51:09 2014)
    192.168.77.100 (Fri Oct 31 15:51:11 2014)
    192.168.77.100 (Fri Oct 31 15:51:13 2014)
    192.168.77.200 (Fri Oct 31 16:01:53 2014)
    192.168.77.200 (Fri Oct 31 16:01:54 2014)
    192.168.77.200 (Fri Oct 31 16:01:56 2014)
    192.168.77.200 (Fri Oct 31 16:01:57 2014)
    192.168.77.200 (Fri Oct 31 16:02:00 2014)
    192.168.77.200 (Fri Oct 31 16:02:16 2014)

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
3666 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 1833

However, look at the above section 'Running tests' which could contain important
information.
 
Old 10-31-2014, 11:26 AM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
What does /var/log/fail2ban.log show about these 'hits'?
 
Old 10-31-2014, 11:35 AM   #5
drdidji
LQ Newbie
 
Registered: Oct 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
No logs when i run this command
Code:
fail2ban-regex /data/client_ip.log /etc/fail2ban/filter.d/rule.conf
i put loglevel=4 in fail2ban.conf
Last edited by drdidji; 10-31-2014 at 11:36 AM.
 
Old 10-31-2014, 01:57 PM   #6
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Code:
grep "192.168" /var/log/fail2ban.log
output please.

If /var/log/fail2ban.log is non-existent, check "logtarget =" in /etc/fail2ban/fail2ban.conf and adjust to
logtarget = /var/log/fail2ban.log
and restart fail2ban.

fail2ban-regex 'hits' will not show up there.

I'm not certain loglevel = 4 is necessary, but it may help
 
Old 11-01-2014, 04:02 AM   #7
drdidji
LQ Newbie
 
Registered: Oct 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
After fail2ban restart the ip was banned , but i think the issue is that fail2ban don't detect client_ip.log file change.
Code:
2014-10-31 17:29:56,057 fail2ban.filter : DEBUG  Got event: 8 for /data/client_ip.log
2014-10-31 17:29:56,057 fail2ban.filter : DEBUG  File changed: /data/client_ip.log
2014-10-31 17:29:56,063 fail2ban.filter : DEBUG  Processing line with time:1414772462.0 and ip:192.168.77.100
2014-10-31 17:29:56,064 fail2ban.filter : DEBUG  Found 192.168.77.100
2014-10-31 17:29:56,064 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: [u'192.168.77.100']
2014-10-31 17:29:56,064 fail2ban.filter : DEBUG  Processing line with time:1414772464.0 and ip:192.168.77.100
2014-10-31 17:29:56,064 fail2ban.filter : DEBUG  Found 192.168.77.100
2014-10-31 17:29:56,064 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: [u'192.168.77.100']
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG  Processing line with time:1414772466.0 and ip:192.168.77.100
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG  Found 192.168.77.100
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: [u'192.168.77.100']
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG  Processing line with time:1414772469.0 and ip:192.168.77.100
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG  Found 192.168.77.100
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: [u'192.168.77.100']
2014-10-31 17:29:56,066 fail2ban.filter : DEBUG  Processing line with time:1414772471.0 and ip:192.168.77.100
2014-10-31 17:29:56,066 fail2ban.filter : DEBUG  Found 192.168.77.100
2014-10-31 17:29:56,066 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: [u'192.168.77.100']
2014-10-31 17:29:56,066 fail2ban.filter : DEBUG  Got event: 9 for /data/client_ip.log
2014-10-31 17:29:56,066 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2014-10-31 17:29:56,621 fail2ban.actions: WARNING [rule] Ban 192.168.77.100
2014-10-31 17:29:56,622 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-rule
2014-10-31 17:29:56,624 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-rule returned successfully
2014-10-31 17:29:56,624 fail2ban.actions.action: DEBUG  iptables -I fail2ban-rule 1 -s 192.168.77.100 -j DROP
2014-10-31 17:29:56,626 fail2ban.actions.action: DEBUG  iptables -I fail2ban-rule 1 -s 192.168.77.100 -j DROP returned successfully
2014-10-31 17:29:56,626 fail2ban.actions.action: DEBUG  
2014-10-31 17:29:56,626 fail2ban.actions.action: DEBUG   returned successfully
 
Old 11-01-2014, 09:30 AM   #8
drdidji
LQ Newbie
 
Registered: Oct 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
the probleme is that fil2ban don't detect change in my file log because it's in nfs mounted folder.
the question is how can i make fail2ban detect any change in this file.
 
Old 11-03-2014, 12:44 AM   #9
drdidji
LQ Newbie
 
Registered: Oct 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
I add in crontab this liens to make fail2ban verified my file every 30s
Code:
* * * * * root chmod u+r /data/client_ip.log
* * * * * root sleep 30s;chmod u+r /data/client_ip.log
Last edited by drdidji; 11-03-2014 at 12:45 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache log file issue with fail2ban plisken Linux - Security 2 03-24-2014 05:30 PM
Fail2ban Log NotAComputerGuy Linux - Security 7 01-10-2013 07:17 PM
[SOLVED] Configuring Conky to read log file entries - apache + fail2ban djsmiley2k Linux - Desktop 1 04-26-2010 04:29 AM
need script to detect log file max limit john89011 Programming 5 03-02-2008 05:42 PM
RH 7.1 can't detect my modem ... in dmesg log file. t0dd Linux - Software 1 03-04-2002 08:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:01 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration