Fail2ban not spotting matches in other_vhosts_access.log - fail2ban

I have a server running Apache and handling a bunch of redirected domains; the redirects aren't logged into individual logs but into other_vhosts_access.log, which consists of lines which look roughly like this:
host.name:80 1.2.3.4 - - [26/Oct/2022:14:18:59 +0100] "GET / HTTP/1.1" 302 498 "-" "browser_string_here"
other.host.name:80 5.6.7.8 - - [26/Oct/2022:14:22:45 +0100] "\x16\x03\x01" 400 0 "-" "-"
(In other words, this doesn't look quite the same as a standard Apache access file because of the host.name:80 part at the beginning of each line.)
There are several fail2ban filters I'd like to run across this file, but the simplest is to ban any hosts trying to access without GET, HEAD or POST being involved (as in the second line in the example above). The fail2ban filter I am trying to use for this looks like:
[INCLUDES]
before = common.conf
[Definition]
failregex = ^\S+ <ADDR> - - .*$
ignoreregex = GET
HEAD
POST
So anything which includes GET, HEAD or POST should be ignored, and anything else should be matched with ADDR. (This is the simplest example I have handy; it isn't the only filter I want to use, but if I can fix this case then the rest should fall into line... I hope.) Using ADDR rather than HOST here, because HOST matches on the hostname at the start of the string and that's not what we are after.
This is not working. Running fail2ban-regex using the above details against the log file shows the ignoreregex working the way it's supposed to, but I am not getting any hits at all on the failregex (all the lines on which it should hit are being listed as missed, instead). It's also not hitting any of the "datepattern" options, which seems odd because this is not any kind of unusual date format. Adding a specific "datepattern" line within the filter does not seem to help.
Running fail2ban-regex on a single line of the log with the failregex set to the failregex above does seem to work, but running it across the whole log does not.
I'm wondering if the problem here is that the LN-BEG preset within fail2ban is not correctly matching the start of the line because of the added hostname/port at the beginning of the line, but I'm struggling to figure out how to add to it if that is what needed. I would rather not set up specific logs for each of the redirected domains -- it would be a lot of logs!
Fail2ban 0.10.2 on Debian Buster (this is the distro's version)

I think I have solved this, and it did turn out to be related to the datepattern not correctly matching the log lines. Adding in a more specific datepattern rather than relying on one of the defaults matching sorted things out:
datepattern = \[%%d/%%b/%%Y:%%H:%%M:%%S %%z\]
Basically, if the date isn't getting picked up correctly, lines won't match even if they "should" do.

Related

tSendMail - New Line Trouble

I am trying to create an email with the some job status information, which I wish to put across multiple lines. However, whatever I do, I get the output in one line. Have changed the MIME type to HTML, used "\n", "\r", "\r\n", String Objects newline. Nothing seems to work.
Although I noticed that these characters do get processed, even though the outcome isn't as expected. I don't see them in the email body, which suggests that the text processor accepts them. Just doesn't process them they way it should. Do I see a bug in the component?
I am on Talend Open Studio 7.0.1, on Ubutntu 16.04.4 VM, on Windows 10 system (if that helps).
HTML < BR > works.
I tried it earlier but looks like I didn't structure my html tags well so it failed. Did it from start and got it right.
Guess what - The more you try, the more you learn. :)

Fail2ban add more info to email notificationd

I'd like to append the relevant fail2ban log entry to the notification email I already receive for any given incident.
Does anybody know how this can be done?
It depends on what information you would like - you may edit the appropriate action.d configuration file's actionban segment by copying the .conf version to a .local version which will override the .conf version as per the fail2ban documentation, and edit it to include whatever information you would like. For example, I have personally amended my sendmail-whois.conf (which is the main sendmail action I use - you could do likewise with sendmail.conf however if you use that for example) by copying it to sendmail-whois.local which I then edited to include the server hostname on the 'From:' line.
You could also include commands to be executed with their output passed to the email to be sent, as long as you follow the correct syntax and fully qualify the path to the relevant commands - for example, you will see that the sendmail-whois action configuration contains the line, within the actionban segment;
`/usr/bin/whois <ip>`\n
Note, as I have mentioned above - the full path to the relevant command is included (in this case, for whois), and the entire command with its options must be delimited by backquotes. the \n at the end of the line indicates that a new line be printed following this one in the output.
Hope that clarifies things for you!

Programmatically change text config files in Linux with minimal effort

I am looking for a tool that would ease the modification of text configuration files for tasks like:
Set ForwardAgent yes on /etc/ssh/ssh_config
Append HGUSER to AcceptEnv in /etc/ssh/sshd_config (that's more complex as it does accept several params, if yours is not alread there it should add it)
Most important:
running it several times should have no side effects.
if something looks weird, it should complain (for example if you find the same line several times in a file, or if the expected syntax does not match).
Is there any linux tool that can easily be used to automate things like this?
The whole point is to be able to write these config patches somewhere so you can deploy them on several machines or on a new machine when needed.
I would certainly do this with bash scripting. Here is a great tutorial.
http://linuxconfig.org/Bash_scripting_Tutorial
to change a line in a file you could do something like:
check the file exists
grep for the value you want to change - error if it appears multiple times or something
use sed to change that line
to append something to a file
check if file exists
grep to ensure it hasn't been appended to already
echo whatever >> file - the double greater than appends to a file
with each of these I would make a backup copy of the file first, just in case something goes wrong
You might want to have a look at the Unified Configuration Interface (UCI) used in Embedded Linux systems. If you have the flexibility to adapt the UCI format for your config files, this is pretty similar to what you are looking for.

How to list a directory that has whitespaces in its name via FTP?

Well I tried to send the url encoded but when I start the stream I get 550 error (permission denied, which means that the folder doesn't exist in my case -> probably it compares with the non encoded name on the server). I tried to send it unencoded...and it failed even quicker, the stream didn't opened at all (naturally). I take it that it's impossible to list a directory that has whitespaces?
I'm using a Linux server, but ideally, I would like it to work with multiple servers.
[UPDATE] I've just tried the apple sample SimpleFTP code and it seems that it has the same problem. It creates folders with spaces, but when you try to list them it fails
I don't know too much about NSStream, I am using FTPHelper by Erica Sadun for ftp'ing, but I presume that the URL either needs to be escaped.
Try %20 or \ where the spaces are meant to be. There is meant to be a space after the \ by the way!

pexpect parse router output

I've got a couple of pexpect lines to log onto a cisco router, and issue the show arp command. I then exit the router, having stored the data into the variable myARP (myARP=child.before)
When I then try and loop over the object (for lines in myARP: print(lines), the info is displayed 1 character per line
l
i
k
e
t
h
i
s
Apologies as this is probably a very basic question, but why can't I display as it is shown if I issue the command manually? Is it to do with the streaming nature of the telnet connection? How can this be resolved???
OK fixed - due to pexpects handling of line endings (/n/r) I think. Read Noahs usage docs for more info