Bug#744774: fail2ban recidive no longer sends lines matching IP in fail2ban.log

Mon, 14 Apr 2014 08:36:39 -0700 

Package: fail2ban
Version: 0.8.13-1
Severity: normal

The regular expression for reporting the actual falining lines in
sendmail-whois-lines.conf does not match the ban lines by recidive in
fail2ban.log.  The reason is that the IP address appears at the end of
the line, so the grep

grep '[^0-9]<ip>[^0-9]' <logpath>

Does not match (end of line is not a matchable character).  The fix is
to use an extended grep matching either not numeric or end of line:

egrep '[^0-9]<ip>([^0-9]|$)' <logpath>

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.13-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fail2ban depends on:
ii  lsb-base    4.1+Debian12
pn  python:any  <none>

Versions of packages fail2ban recommends:
ii  iptables          1.4.21-1
pn  python-pyinotify  <none>
ii  whois             5.1.1

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]            8.1.2-0.20131005cvs-1
ii  mailutils [mailx]            1:2.99.98-1.1
ii  mailx                        1:20081101-2
pn  python-gamin                 <none>
ii  rsyslog [system-log-daemon]  7.6.3-1

-- Configuration Files:
/etc/fail2ban/action.d/iptables-allports.conf changed:
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
[Init]
name = default
protocol = all
chain = INPUT

/etc/fail2ban/action.d/sendmail-whois-lines.conf changed:
[INCLUDES]
before = sendmail-common.conf
[Definition]
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
             From: <sendername> <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actioncheck = 
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here is more information about <ip>:\n
            `/usr/bin/whois <ip> || echo missing whois program`\n\n
            Lines containing IP:<ip> in <logpath>\n
            `egrep '[^0-9]<ip>([^0-9]|$)' <logpath>`\n\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
actionunban = 
[Init]
name = default
logpath = /dev/null

/etc/fail2ban/filter.d/asterisk.conf changed:
[INCLUDES]
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in 
\w+:)?
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from 
'[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name 
mismatch|No matching peer found|Not a local domain|Device does not match 
ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local 
domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' 
\(<HOST>:\d+\) to extension '\d+' rejected because extension not found in 
context '.*'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to 
authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer 
'[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 
authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate 
(user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s 
(?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) 
\d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s 
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? 
)Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
ignoreregex =


-- no debconf information


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to