[Logwatch-Devel] scripts for fail2ban

Willi Mann willi at wm1.at
Fri May 26 06:48:12 MST 2006


Hi!

Yaroslav Halchenko <debian at onerussian.com> submitted a filter for the 
fail2ban (http://fail2ban.sourceforge.net) daemon.

I have already included it in the debian package and tested it on one of 
my servers.

I would be cool if it could be included:

fail2ban -> scripts/services
applyeurodate -> scripts/shared
fail2ban.conf -> conf/services
l_fail2ban.conf -> conf/logfiles

Willi
-------------- next part --------------
#!/usr/bin/perl
##########################################################################
# $Id: $
##########################################################################
# $Log:  $
# Revision ?.??  2005/10/19 05:48:39  
#  Written by Yaroslav Halchenko <debian at onerussian.com> for fail2ban
#
# This script is licensed under the same terms as logwatch, ie under
# permissive X11 license (see /usr/share/doc/logwatch/copyright for more
# details)
#
##########################################################################

use strict;
use Logwatch ':all';

my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my $IgnoreHost = $ENV{'sshd_ignore_host'} || "";
my $DebugCounter = 0;
my $ReInitializations = 0;
my @IptablesErrors = ();
my $NotValidIP = 0;		# reported invalid IPs number
my @OtherList = ();

my %ServicesBans = ();

if ( $Debug >= 5 ) {
	print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n";
	$DebugCounter = 1;
}

while (defined(my $ThisLine = <STDIN>)) {
    if ( $Debug >= 5 ) {
	print STDERR "DEBUG($DebugCounter): $ThisLine";
	$DebugCounter++;
    }
    chomp($ThisLine);
    if ( ($ThisLine =~ /..,... DEBUG: /) or
	 ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
	 ($ThisLine =~ /..,... WARNING: Verbose level is /) or
	 ($ThisLine =~ /..,... WARNING: Restoring firewall rules/)
	 )
    {
	if ( $Debug >= 6 ) {
	    print STDERR "DEBUG($DebugCounter): line ignored\n";
	}
    } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/WARNING:\s(.*):\s(Ban|Unban)[^\.]* (\S+)/)) {
	if ( $Debug >= 6 ) {
	    print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
	}
	$ServicesBans{$Service}{$Host}{$Action}++;
	$ServicesBans{$Service}{"(all)"}{$Action}++;
    } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/INFO: (\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
	if ($Debug >= 4) {
	    print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
	}
	push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ ERROR:\s(.*):\s(\S+)\salready in ban list/)) {
	$ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ WARNING:\s(.*):\sReBan (\S+)/)) {
	$ServicesBans{$Service}{$Host}{'ReBan'}++;
    } elsif ($ThisLine =~ /..,... ERROR: (Execution of command )?\'iptables/) {
	push @IptablesErrors, "$ThisLine\n";
    } elsif ($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) {
	$ReInitializations++;
    } elsif ($ThisLine =~ /..,... WARNING:  is not a valid IP address/) {
	# just ignore - this will be fixed within fail2ban and is harmless warning
    }
    else
    {
	# Report any unmatched entries...
	push @OtherList, "$ThisLine\n";
    }
}

###########################################################


if (keys %ServicesBans) {
    printf("\nBanned services with Fail2Ban:				 Bans:Unbans\n");
    foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
	printf("   %-55s [%3d:%-3d]\n", "$service:",
	       $ServicesBans{$service}{'(all)'}{'Ban'},
	       $ServicesBans{$service}{'(all)'}{'Unban'});
	delete $ServicesBans{$service}{'(all)'};
	my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
	if ($Detail >= 5) {
	    foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
		my $name = LookupIP($ip);
		printf("      %-53s %3d:%-3d\n",
		       $name,
		       $ServicesBans{$service}{$ip}{'Ban'},
		       $ServicesBans{$service}{$ip}{'Unban'});
		if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
		    print "	   Failed ";
		    foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
			print " $fails";
		    }
		    print " times";
		    printf("\n	   %d Duplicate Ban attempts", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
		    printf("\n	   %d ReBans due to rules reinitilizations", $ServicesBans{$service}{$ip}{'ReBan'}) ;
		    print "\n";
		}
	    }
	}
    }
}


if ($Detail>0) {
    if ($#IptablesErrors > 0) {
	printf("\n%d faulty iptables invocation(s)", $#IptablesErrors);
	if ($Detail > 5) {
	    print ":\n";
	    print @IptablesErrors ;
	}
    }
    if ($ReInitializations > 0) {
	printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);
    }
    if ($#OtherList >= 0) {
	print "\n**Unmatched Entries**\n";
	print @OtherList;
    }
}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et
-------------- next part --------------
#!/usr/bin/perl
##########################################################################
# $Id: $
##########################################################################

########################################################
# This was originally written by 
#           Yaroslav Halchenko <debian at onerussian.com>
########################################################

#
## Modified from applystddate by yoh at onerussian.com to accept dates
## as reported by fail2ban:
#2006-03-17 05:17:19,757 WARNING: SSH: Unban 202.63.117.71
#
# This script is licensed under the same terms as logwatch, ie under
# permissive X11 license (see /usr/share/doc/logwatch/copyright for more
# details)
#
use Logwatch ':dates';

my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;

$SearchDate = TimeFilter('%Y-%m-%d %H:%M:%S,...');

if ( $Debug > 5 ) {
   print STDERR "DEBUG: Inside ApplyEuroDate...\n";
   print STDERR "DEBUG: Looking For: " . $SearchDate . "\n";
}

while (defined($ThisLine = <STDIN>)) {
   if ($ThisLine =~ m/^$SearchDate /o) {
      print $ThisLine;
   }
}

# vi: shiftwidth=3 syntax=perl tabstop=3 et
-------------- next part --------------
##########################################################################
# $Id: $
##########################################################################

########################################################
# Created by HMR 2/28/06
# Modified by Yaroslav Halchenko <debian at onerussian.com>
#
# What actual file?  Defaults to LogPath if not absolute path....
LogFile = fail2ban.log

# If the archives are searched, here is one or more line
# (optionally containing wildcards) that tell where they are...
# Note: if these are gzipped, you need to end with a .gz even if
#       you use wildcards...
Archive = fail2ban.log.*
Archive = fail2ban.log.*.gz
Archive = archiv/fail2ban.log.*
Archive = archiv/fail2ban.log.*.gz

# HMR 3/1/06 use custom applyeurodate script to filter out European time stamps
# ./scripts/shared/applyeurodate
*ApplyEuroDate
-------------- next part --------------
###########################################################################
# $Id: $
###########################################################################

# You can put comments anywhere you want to.  They are effective for the
# rest of the line.

# this is in the format of <name> = <value>.  Whitespace at the beginning
# and end of the lines is removed.  Whitespace before and after the = sign
# is removed.  Everything is case *insensitive*.

# Yes = True  = On  = 1
# No  = False = Off = 0

Title = fail2ban-messages

# Which logfile group...
LogFile = fail2ban




More information about the Logwatch-Devel mailing list