diff --git a/ChangeLog b/ChangeLog index 299329b7..0f1287dc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on - filter pureftpd - added _daemon which got removed. Added - New Features: + - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) - Enhancements: - filter pureftpd - added all translations of "Authentication failed for diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf new file mode 100644 index 00000000..0429d3ff --- /dev/null +++ b/config/filter.d/nagios.conf @@ -0,0 +1,17 @@ +# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2) +# Detecting unauthorized access to the nrpe2 daemon +# typically logged in /var/log/messages syslog +# + +[INCLUDES] +# Read syslog common prefixes +before = common.conf + +[Definition] +_daemon = nrpe +failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ +ignoreregex = + +# DEV Notes: +# +# Author: Ivo Truxa - 2014/02/03 diff --git a/config/jail.conf b/config/jail.conf index 5dcce02c..ffbdf33e 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -758,3 +758,14 @@ action = iptables[name=SSH, port=ssh, protocol=tcp] blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s] logpath = /var/log/sshd.log maxretry = 20 + + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] +enabled = false +filter = nagios +action = iptables[name=Nagios, port=5666, protocol=tcp] + sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] +logpath = /var/log/messages ; nrpe.cfg may define a different log_facility +maxretry = 1 diff --git a/testcases/files/logs/nagios b/testcases/files/logs/nagios new file mode 100644 index 00000000..cbeb0a87 --- /dev/null +++ b/testcases/files/logs/nagios @@ -0,0 +1,4 @@ +# Access of unauthorized host in /var/log/messages +# failJSON: { "time": "2005-02-03T11:22:44", "match": true , "host": "50.97.225.132" } +Feb 3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us! +