Is it possible to detect with a fail2ban regex, a MAC address ?
What I can do: Detect the source ip address
From the log file
Jan 18 11:15:14 server kernel: [DROP]IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.2.3.4 DST=4.5.6.7 LEN=40 TOS=0x00 PREC=0x00 TTL=239
Fail2ban failregex
failregex = \[DROP\]IN=.* OUT= MAC=.* SRC=<HOST>*
Give 1.2.3.4 as a result. Then, any fail2ban action can use the <ip> variable.
What I would like to do: Detect the MAC address
Is it possible to do something like that?
failregex = \[DROP\]IN=.* OUT= MAC=<MAC> *
Shoud give 00:00:00:00:00:00:00:00:00:00:00:00:00:00 as a result. Then, any fail2ban action could use a<mac> variable for exemple.
Is someone have an answer, or any documentation? I didn't find informations about fail2ban regex or detection possibilities.
Not sure how to do it on Fail2Ban config and I don't have one to test right now. I did a little bash script to test this and maybe you can extract from here the regex.
#!/bin/bash
str="Jan 18 11:15:14 server kernel: [DROP]IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.2.3.4 DST=4.5.6.7 LEN=40 TOS=0x00 PREC=0x00 TTL=239"
[[ ${str} =~ \[DROP\].*MAC=([0-9:]+) ]] && test_output="${BASH_REMATCH[1]}"
echo $test_output
It gives as output: 00:00:00:00:00:00:00:00:00:00:00:00:00:00
I'm capturing the mac inside a group (between parenthesis) and asigning it to a var. Maybe could be like your <MAC>.
I can't assure this because as I said, I don't have fail2ban right now to test, so is a "wild thing"... but I can venture to suggest something like this:
failregex = \[DROP\].*MAC=<MAC>
I hope it helps.
From fail2ban manual website:
As a convenience, you can use the predefined entity in your regexes. is an alias for (?:::f{4,6}:)?(?P\S+), which matches either a hostname or an IPv4 address (possibly embedded in an IPv6 address).
I understand that it is possible use custom regex, but how? There isn't lot of articles about that..
Related
I've installed fail2ban 0.10.5-2.el7 from EPEL on CentOS 7.8. I'm trying to get it to work with systemd for processing a Tomcat log (also systemd).
In jail.local I added:
[guacamole]
enabled = true
port = http,https
backend = systemd
In filter.d/guacamole.conf:
[Definition]
failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$
ignoreregex =
journalmatch = _SYSTEMD_UNIT=tomcat.service + _COMM=java
If I run journalctl -u tomcat.service I see all the log lines. The ones I am interested in look like this:
May 18 13:58:26 myhost catalina.sh[42065]: 13:58:26.485 [http-nio-8080-exec-6] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 1.2.3.4 for user "test" failed.
If I redirect journalctl -u tomcat.service to a log file, and process it with fail2ban-regex then it works exactly the way I want it to work, finding all the lines it needs.
% fail2ban-regex /tmp/j9 /etc/fail2ban/filter.d/guacamole.conf
Running tests
=============
Use failregex filter file : guacamole, basedir: /etc/fail2ban
Use log file : /tmp/j9
Use encoding : UTF-8
Results
=======
Failregex: 47 total
|- #) [# of hits] regular expression
| 1) [47] Authentication attempt from <HOST> for user "[^"]*" failed\.$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [570] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 571 lines, 0 ignored, 47 matched, 524 missed
[processed in 0.12 sec]
However, if fail2ban reads the journal directly then it does not work:
fail2ban-regex systemd-journal /etc/fail2ban/filter.d/guacamole.conf
It comes back right away, and processes 0 lines!
Running tests
=============
Use failregex filter file : guacamole, basedir: /etc/fail2ban
Use systemd journal
Use encoding : UTF-8
Use journal match : _SYSTEMD_UNIT=tomcat.service + _COMM=java
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Lines: 0 lines, 0 ignored, 0 matched, 0 missed
[processed in 0.00 sec]
I've tried to remove _COMM=java. It doesn't make a difference.
If I leave out the journal match line altogether, it at least processes all the lines from the journal, but does not find any matches (even though, as I mentioned, it processes a dump of the log file fine):
Running tests
=============
Use failregex filter file : guacamole, basedir: /etc/fail2ban
Use systemd journal
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Lines: 202271 lines, 0 ignored, 0 matched, 202271 missed
[processed in 34.54 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 202271 lines
Either this is a bug, or I'm missing a small detail.
Thanks for any help you can provide.
To make sure the filter definition is properly initialised, it would be good to include the common definition. Your filter definition (/etc/fail2ban/filter.d/guacamole.conf) would therefore look like:
[INCLUDES]
before = common.conf
[Definition]
journalmatch = _SYSTEMD_UNIT='tomcat.service'
failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$
ignoreregex =
A small note given that your issue only occurs with systemd but not flat files, could you try the same pattern without $ at the end? Maybe there is an issue with the end of line when printed to the journal?
In your jail definition (/etc/fail2ban/jail.d/guacamole.conf), remember to define the ban time/find time/retries if they haven't already been defined in the default configuration:
[guacamole]
enabled = true
port = http,https
maxretry = 3
findtime = 1h
bantime = 1d
# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend = systemd
Remember to restart the fail2ban service after doing such changes.
I have log files on my server as follows
vpn_20191007.log
vpn_20191008.log
vpn_20191009.log
vpn_20191010.log
vpn_20191011.log
vpn_20191012.log
vpn_20191013.log
vpn_20191014.log
vpn_20191015.log
vpn_20191016.log
Is it possible to add log files pattern in fail2ban jail config?
[application]
enabled = false
filter = example
action = iptables
logpath = /var/log/vpn_%D.log
maxretry = 1
Well, conditionally it is possible...
Although wildcards are basically allowed at the moment, so :
logpath = /var/log/vpn_*.log
will do the job, but it is a bit ugly in your case:
fail2ban cumulate the list of files only by start of service, so the list remains obtained in fail2ban (unless it gets reloaded) - this means you should notify fail2ban that the log file name got changed (see https://github.com/fail2ban/fail2ban/issues/1379, the work is in progress).
since only one file will get new messages, the monitoring of other files is unneeded, especially if polling backend is used.
So better create some logrotate rules for that:
in order to rename/compress all previous log-files (to avoid match for obsolete files);
either create hard- or sym-link for last/active file with a fixed name (so fail2ban is always able to find it with the same name, and you'd not need wildcard at all);
or to notify fail2ban to reload the jail if logfile-name got changed(fail2ban-client reload vpn).
Here is an example for logrotate amendment:
postrotate
nfn="/var/log/vpn_$(date +%Y%m%d).log"
touch "$nfn"
ln -fs "$nfn" /var/log/vpn.log
You can add wilcard :
logpath = /var/log/vpn_*.log
and/or you can use multiple lines :
logpath = /var/log/vpn_20191007.log
/var/log/vpn_20191008.log
/var/log/vpn_20191009.log
/var/log/vpn_20191010.log
/var/log/vpn_20191011.log
/var/log/vpn_20191012.log
/var/log/vpn_20191013.log
/var/log/vpn_20191014.log
/var/log/vpn_20191015.log
/var/log/vpn_20191016.log
(You can combine the two)
My Kodi is running as root (for better or for worse). This means the user folder is:
/root/.kodi/userdata/guisettings.xml
A quick search for web-related junk:
cat guisettings.xml | grep web
yields
<webserver default="true">false</webserver>
<webserverpassword default="true"></webserverpassword>
<webserverport default="true">8080</webserverport>
<webserverusername default="true">kodi</webserverusername>
<webskin default="true">webinterface.default</webskin>
Looks good to me. I just have to turn on the webserver.
Steps Taken
systemctl stop kodi
perl -i -pe 's/<webserver default="true">false<\/webserver>/<webserver default="true">true<\/webserver>/' /root/.kodi/userdata/guisettings.xml # (I actually used vim)
systemctl start kodi
Guess what happens, the guisettings.xml gets overwritten each time I start Kodi. I also tried adding the following file: /root/.kodi/userdata/advancedsettings.xml with the following contents:
<advancedsettings>
<loglevel hide="attribute">3</loglevel>
<webserver default="true">true</webserver>
<webserverpassword default="true"></webserverpassword>
<webserverport default="true">8080</webserverport>
<webserverusername default="true">kodi</webserverusername>
<webskin default="true">webinterface.default</webskin>
</advancedsettings>
This also does not work.
Are you by any chance trying to enable the web server to allow using Kodi remote?
I encountered the same issue too, "guisettings.xml gets overwritten".
According to kodi.wiki, you need to configure 2 more XML elements.
To be complete, having the following in advancedsettings.xml should help:
<advancedsettings>
<services>
<esallinterfaces>true</esallinterfaces>
<webserver>true</webserver>
<zeroconf>true</zeroconf>
</services>
</advancedsettings>
We have a part of a mail filter that denies emailing system accounts for security purposes. We recently had a user created that ends in "bin". The bin user is restricted, but the user, lets say l.parrbin, gets flagged via the syntax below:
my #sysaccounts = qw(
root bin daemon adm lp sync shutdown halt mail
news uucp operator games gopher ftp nobody nscd
vcsa rpc mailnull smmsp apache pcap ntp dbus
avahi rpcusder nfsnobody sshd haldaemon xfs defang
clamav monit mysql decode webmaster mailer-daemon
nagios
);
foreach $acct(#sysaccounts){
if ($recip =~ /$acct\#/i){
md_syslog('info', 'Sysaccount Discard');
return('REJECT', "We do not accept messages to system accounts ($acct)");
}
}
How would I prevent the above code from returning REJECT if a name ends or starts with a name from the sysaccounts?
Try doing this :
if ($recip =~ /^$acct\#/i){
# ^
In regex, ^ is an anchor meaning beginning of line (string here)
I'm initializing spot instances running a derivative of the standard Ubuntu 13.04 AMI by pasting a shell script into the user-data field.
This works. The script runs. But it's difficult to debug because I can't figure out where the output of the script is being logged, if anywhere.
I've looked in /var/log/cloud-init.log, which seems to contain a bunch of stuff that would be relevant to debugging cloud-init, itself, but nothing about my script. I grepped in /var/log and found nothing.
Is there something special I have to do to turn logging on?
The default location for cloud init user data is already /var/log/cloud-init-output.log, in AWS, DigitalOcean and most other cloud providers. You don't need to set up any additional logging to see the output.
You could create a cloud-config file (with "#cloud-config" at the top) for your userdata, use runcmd to call the script, and then enable output logging like this:
output: {all: '| tee -a /var/log/cloud-init-output.log'}
so I tried to replicate your problem. Usually I work in Cloud Config and therefore I just created a simple test user-data script like this:
#!/bin/sh
echo "Hello World. The time is now $(date -R)!" | tee /root/output.txt
echo "I am out of the output file...somewhere?"
yum search git # just for fun
ls
exit 0
Notice that, with CloudInit shell scripts, the user-data "will be executed at rc.local-like level during first boot. rc.local-like means 'very late in the boot sequence'"
After logging in into my instance (a Scientific Linux machine) I first went to /var/log/boot.log and there I found:
Hello World. The time is now Wed, 11 Sep 2013 10:21:37 +0200! I am
out of the file. Log file somewhere? Loaded plugins: changelog,
kernel-module, priorities, protectbase, security,
: tsflags, versionlock 126 packages excluded due to repository priority protections 9 packages excluded due to repository
protections ^Mepel/pkgtags
| 581 kB 00:00
=============================== N/S Matched: git =============================== ^[[1mGit^[[0;10mPython.noarch : Python ^[[1mGit^[[0;10m Library c^[[1mgit^[[0;10m.x86_64 : A fast web
interface for ^[[1mgit^[[0;10m
...
... (more yum search output)
...
bin etc lib lost+found mnt proc sbin srv tmp var
boot dev home lib64 media opt root selinux sys usr
(other unrelated stuff)
So, as you can see, my script ran and was rightly logged.
Also, as expected, I had my forced log 'output.txt' in /root/output.txt with the content:
Hello World. The time is now Wed, 11 Sep 2013 10:21:37 +0200!
So...I am not really sure what is happening in you script.
Make sure you're exiting the script with
exit 0 #or some other code
If it still doesn't work, you should provide more info, like your script, your boot.log, your /etc/rc.local, and your cloudinit.log.
btw: what is your cloudinit version?