LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-13-2014, 11:18 PM   #1
gosssamer
Member
 
Registered: Dec 2010
Posts: 59

Rep: Reputation: 0
fail2ban pattern matching problem


Hi, I've been struggling with fail2ban on fedora20 for a while, and need some help. I'm trying to match the following line:

May 12 22:00:20 [MASS_MAILING] user1 (mydomain.com) from 1.2.3.4: Total 31 recipients

It is part of squirrelmail_logger, and intended to alert to when a message is sent to a large number of recipients, as might happen when an account has been compromised.

My failregex pattern is, very simply:

failregex = .*from <HOST>: Total.*$

When I run fail2ban-regex, my pattern matches, but when I cat the above line into the file being monitored, it doesn't match. If I strip off everything except for "from 1.2.3.4: Total 31" and then append it to the file being monitored, it matches.

What's wrong with my above line that causes it to not match, but something less does?

Does it have something to do with the date? I've tried setting timeregex and timepattern:

timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S

and that doesn't seem to matter either.

I'd really appreciate any input you may have.

Thanks,
Alex
 
Old 05-14-2014, 03:16 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by gosssamer View Post
failregex = .*from <HOST>: Total.*$
Alex:
Try
Code:
failregex = ^<HOST> .*Total.*$
or a slight variation of that.

JJ

Last edited by Habitual; 05-14-2014 at 03:18 PM.
 
Old 05-14-2014, 03:46 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Works for me. Please return output of
Code:
fail2ban-regex /path/to/actual_log_file "MASS_MAILING.*from <HOST>:.*$"
 
Old 05-19-2014, 03:12 PM   #4
gosssamer
Member
 
Registered: Dec 2010
Posts: 59

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Works for me. Please return output of
Code:
fail2ban-regex /path/to/actual_log_file "MASS_MAILING.*from <HOST>:.*$"
Code:
# fail2ban-regex /var/lib/squirrelmail/data/squirrelmail_access_log "MASS_MAILING.*from <HOST>:.*$"

Running tests
=============

Use   failregex line : MASS_MAILING.*from <HOST>:.*$
Use         log file : /var/lib/squirrelmail/data/squirrelmail_access_log
Use         encoding : UTF-8


Results
=======

Failregex: 34 total
|-  #) [# of hits] regular expression
|   1) [34] MASS_MAILING.*from <HOST>:.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [6312] MON Day 24hour:Minute:Second
`-

Lines: 6319 lines, 0 ignored, 34 matched, 6285 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 6285 lines
It works just fine when run this way. I haven't had an actual event occur that would provide a real-world request, so I've tried to append a similar line into the log file:

Code:
# cat /tmp/testfile
May 15 08:46:57 [MASS_MAILING] user1 (myexample.com) from 162.248.210.167: Total 76 recipients (FROM: inf
o@support.tech.net) (SUBJECT: Deactivation Of Your Webmail Account.)

# cat /tmp/testfile >> /var/lib/squirrelmail/data/squirrelmail_access_log
and I've sent it a few times, and nothing is written to the log file. However, if I remove the date info "May 15 08:46:57" then cat it into the log file, it does indeed now trigger it. It also works if I supply the filter filename to fail2ban-regex.

The full contents of my massmail.conf filter file is:

Code:
# cat massmailing.conf |egrep -v '^$|^#'
[Definition]
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex  = .*from <HOST>: Total.*$
ignoreregex =
It has no effect if I remove the timeregex or timepattern variable.

Thanks for any ideas.
Alex
 
Old 05-20-2014, 01:14 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by gosssamer View Post
It works just fine when run this way. I haven't had an actual event occur that would provide a real-world request, so I've tried to append a similar line into the log file (..) and I've sent it a few times, and nothing is written to the log file. However, if I remove the date info "May 15 08:46:57" then cat it into the log file, it does indeed now trigger it. It also works if I supply the filter filename to fail2ban-regex.
Odd.


Quote:
Originally Posted by gosssamer View Post
The full contents of my massmail.conf filter file is:
Code:
# cat massmailing.conf |egrep -v '^$|^#'
[Definition]
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex  = .*from <HOST>: Total.*$
ignoreregex =
Only difference with the test I can see is you've dropped the "MASS_MAILING" part?..


Quote:
Originally Posted by gosssamer View Post
It has no effect if I remove the timeregex or timepattern variable.
It shouldn't. These are in default includes and your log file shows the standard syslog time stamp. So there's no need to define time(regex|pattern) again.
 
Old 05-20-2014, 09:37 PM   #6
gosssamer
Member
 
Registered: Dec 2010
Posts: 59

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Odd.



Only difference with the test I can see is you've dropped the "MASS_MAILING" part?..



It shouldn't. These are in default includes and your log file shows the standard syslog time stamp. So there's no need to define time(regex|pattern) again.
Thanks for your help. Looks like we'll just have to wait and see what happens next time an account is hacked. I'll try and follow up then.

Thanks,
Alex
 
Old 05-21-2014, 01:13 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by gosssamer View Post
Looks like we'll just have to wait and see what happens next time an account is hacked. I'll try and follow up then.
If the app allows for per-account settings you could create a new account (please don't name it "test" and use a simple passwd) and force the threshold to be crossed and so force a log message?
 
Old 06-13-2014, 10:11 AM   #8
gosssamer
Member
 
Registered: Dec 2010
Posts: 59

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
If the app allows for per-account settings you could create a new account (please don't name it "test" and use a simple passwd) and force the threshold to be crossed and so force a log message?
Following up with this from last month.

Turns out my rules worked as expected. Not sure why I couldn't create a fake entry by inserting a line into messages. It would still be really nice to know, so I can complete a full test.
 
Old 06-13-2014, 11:50 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Like I said before your rule worked for me. Since I'm not able to reproduce the error and since no new information was made available that could help shed a different light on things I'm not sure what I could help you further with?..
 
Old 06-13-2014, 01:15 PM   #10
gosssamer
Member
 
Registered: Dec 2010
Posts: 59

Original Poster
Rep: Reputation: 0
Yes, fail2ban-regex worked here too - it was just testing an actual occurrence by simulating it in the log file that I was trying to do.

What's the difference between echo'ing a pattern that should trigger the event and squirrelmail producing the same event in the log file?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Problem with Pattern Matching lindextop Linux - Newbie 6 10-20-2013 12:50 PM
Matching patterns or partial pattern matching yaplej Programming 6 12-16-2012 10:21 AM
[SOLVED] awk with pipe delimited file (specific column matching and multiple pattern matching) lolmon Programming 4 08-31-2011 12:17 PM
Pattern Matching Problem ratul_11 Programming 3 12-28-2007 12:27 AM
pattern matching problem in sed digitalbrutus Programming 4 08-20-2006 04:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration