Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
10-31-2014, 09:02 AM
#1
LQ Newbie
Registered: Oct 2014
Posts: 6
Rep:
Fail2ban: detect changes in log file in NFS directory?
hello,
I have a problem with fail2ban v0.8.6 on Debian 3.2.60-1+deb7u3 x86_64
I created a rule under jail.conf to block the IP addresses that it repeats more than 10 times in the 600s range in a log file client_ip.log
Code:
[MyRule]
enabled = true
port = http,https
filter = rule
protocol = tcp
logpath = /data/client_ip.log
maxretry = 3
findtime = 600
bantime = 600
and I created the filter "rule" in filter.d
Code:
failregex = .+?Ip: <HOST>
ignoreregex =
Example client_ip.log file ( fail2ban should block the ip 192.168.77.100 )
Code:
[2014-10-16 10:37:10] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.20; proId:22447[] []
[2014-10-16 10:38:03] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:38:04] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:38:18] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:38:19] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:38:35] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.20; proId:20362 [] []
[2014-10-16 10:39:06] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:40:14] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:40:26] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.21; proId:20362 [] []
[2014-10-16 10:40:49] clientIp.INFO: Ip: 192.168.77.100, 192.168.77.20; proId:20362 [] []
the problem is that this rule only works one time and I have to reboot every time fail2ban to block the new IPs
Thank you for your help.
10-31-2014, 10:09 AM
#2
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
maxretry should be 10.
What happens if you test it manually with
Code:
fail2ban-regex /data/client_ip.log /etc/fail2ban/filter.d/rule.conf
10-31-2014, 10:13 AM
#3
LQ Newbie
Registered: Oct 2014
Posts: 6
Original Poster
Rep:
Code:
192.168.77.100 (Fri Oct 31 14:20:57 2014)
192.168.77.100 (Fri Oct 31 14:20:59 2014)
192.168.77.100 (Fri Oct 31 14:21:01 2014)
192.168.77.200 (Fri Oct 31 14:21:05 2014)
192.168.70.20 (Fri Oct 31 15:28:27 2014)
192.168.70.21 (Fri Oct 31 15:28:35 2014)
192.168.70.20 (Fri Oct 31 15:32:54 2014)
192.168.77.100 (Fri Oct 31 15:51:03 2014)
192.168.77.100 (Fri Oct 31 15:51:05 2014)
192.168.77.100 (Fri Oct 31 15:51:07 2014)
192.168.77.100 (Fri Oct 31 15:51:09 2014)
192.168.77.100 (Fri Oct 31 15:51:11 2014)
192.168.77.100 (Fri Oct 31 15:51:13 2014)
192.168.77.200 (Fri Oct 31 16:01:53 2014)
192.168.77.200 (Fri Oct 31 16:01:54 2014)
192.168.77.200 (Fri Oct 31 16:01:56 2014)
192.168.77.200 (Fri Oct 31 16:01:57 2014)
192.168.77.200 (Fri Oct 31 16:02:00 2014)
192.168.77.200 (Fri Oct 31 16:02:16 2014)
Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
3666 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 1833
However, look at the above section 'Running tests' which could contain important
information.
10-31-2014, 11:26 AM
#4
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
What does /var/log/fail2ban.log show about these 'hits'?
10-31-2014, 11:35 AM
#5
LQ Newbie
Registered: Oct 2014
Posts: 6
Original Poster
Rep:
No logs when i run this command
Code:
fail2ban-regex /data/client_ip.log /etc/fail2ban/filter.d/rule.conf
i put loglevel=4 in fail2ban.conf
Last edited by drdidji; 10-31-2014 at 11:36 AM .
10-31-2014, 01:57 PM
#6
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
Code:
grep "192.168" /var/log/fail2ban.log
output please.
If /var/log/fail2ban.log is non-existent, check "logtarget =" in /etc/fail2ban/fail2ban.conf and adjust to
logtarget = /var/log/fail2ban.log
and restart fail2ban.
fail2ban-regex 'hits' will not show up there.
I'm not certain loglevel = 4 is necessary, but it may help
11-01-2014, 04:02 AM
#7
LQ Newbie
Registered: Oct 2014
Posts: 6
Original Poster
Rep:
After fail2ban restart the ip was banned , but i think the issue is that fail2ban don't detect client_ip.log file change.
Code:
2014-10-31 17:29:56,057 fail2ban.filter : DEBUG Got event: 8 for /data/client_ip.log
2014-10-31 17:29:56,057 fail2ban.filter : DEBUG File changed: /data/client_ip.log
2014-10-31 17:29:56,063 fail2ban.filter : DEBUG Processing line with time:1414772462.0 and ip:192.168.77.100
2014-10-31 17:29:56,064 fail2ban.filter : DEBUG Found 192.168.77.100
2014-10-31 17:29:56,064 fail2ban.filter : DEBUG Currently have failures from 1 IPs: [u'192.168.77.100']
2014-10-31 17:29:56,064 fail2ban.filter : DEBUG Processing line with time:1414772464.0 and ip:192.168.77.100
2014-10-31 17:29:56,064 fail2ban.filter : DEBUG Found 192.168.77.100
2014-10-31 17:29:56,064 fail2ban.filter : DEBUG Currently have failures from 1 IPs: [u'192.168.77.100']
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG Processing line with time:1414772466.0 and ip:192.168.77.100
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG Found 192.168.77.100
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG Currently have failures from 1 IPs: [u'192.168.77.100']
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG Processing line with time:1414772469.0 and ip:192.168.77.100
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG Found 192.168.77.100
2014-10-31 17:29:56,065 fail2ban.filter : DEBUG Currently have failures from 1 IPs: [u'192.168.77.100']
2014-10-31 17:29:56,066 fail2ban.filter : DEBUG Processing line with time:1414772471.0 and ip:192.168.77.100
2014-10-31 17:29:56,066 fail2ban.filter : DEBUG Found 192.168.77.100
2014-10-31 17:29:56,066 fail2ban.filter : DEBUG Currently have failures from 1 IPs: [u'192.168.77.100']
2014-10-31 17:29:56,066 fail2ban.filter : DEBUG Got event: 9 for /data/client_ip.log
2014-10-31 17:29:56,066 fail2ban.filter.datedetector: DEBUG Sorting the template list
2014-10-31 17:29:56,621 fail2ban.actions: WARNING [rule] Ban 192.168.77.100
2014-10-31 17:29:56,622 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-rule
2014-10-31 17:29:56,624 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-rule returned successfully
2014-10-31 17:29:56,624 fail2ban.actions.action: DEBUG iptables -I fail2ban-rule 1 -s 192.168.77.100 -j DROP
2014-10-31 17:29:56,626 fail2ban.actions.action: DEBUG iptables -I fail2ban-rule 1 -s 192.168.77.100 -j DROP returned successfully
2014-10-31 17:29:56,626 fail2ban.actions.action: DEBUG
2014-10-31 17:29:56,626 fail2ban.actions.action: DEBUG returned successfully
11-01-2014, 09:30 AM
#8
LQ Newbie
Registered: Oct 2014
Posts: 6
Original Poster
Rep:
the probleme is that fil2ban don't detect change in my file log because it's in nfs mounted folder.
the question is how can i make fail2ban detect any change in this file.
11-03-2014, 12:44 AM
#9
LQ Newbie
Registered: Oct 2014
Posts: 6
Original Poster
Rep:
I add in crontab this liens to make fail2ban verified my file every 30s
Code:
* * * * * root chmod u+r /data/client_ip.log
* * * * * root sleep 30s;chmod u+r /data/client_ip.log
Last edited by drdidji; 11-03-2014 at 12:45 AM .
All times are GMT -5. The time now is 03:16 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News