From 110b8e690517001a9393cf81ee6ea2339b00e213 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 21:39:52 +0100 Subject: [PATCH 1/8] ENH: Nagios filter Sample log entry from /var/log/messages for a denied access to the nrpe2 (Nagios Remote Plugin Executor) daemon --- testcases/files/logs/nagios | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 testcases/files/logs/nagios diff --git a/testcases/files/logs/nagios b/testcases/files/logs/nagios new file mode 100644 index 000000000..9577b3276 --- /dev/null +++ b/testcases/files/logs/nagios @@ -0,0 +1,4 @@ +# Access of unauthorized host in /etc/messages +# failJSON: { "time": "2005-02-39T11:22:44", "match": true , "host": "50.97.225.132" } +Feb 3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us! + From c91fda8619d8729920d695ab70e26464a0a4ae4d Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 21:46:07 +0100 Subject: [PATCH 2/8] ENH: Nagios filter Sample log for the first failregex is available in the testcases. No example available for the IPv6 denial yet. --- config/filter.d/nagios.conf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 config/filter.d/nagios.conf diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf new file mode 100644 index 000000000..d01769cc2 --- /dev/null +++ b/config/filter.d/nagios.conf @@ -0,0 +1,21 @@ +# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2) +# Detecting unauthorized access to the nrpe2 daemon +# typically logged in /var/log/messages syslog +# + + +[INCLUDES] +# Read syslog common prefixes +before = common.conf + + +[Definition] +_daemon = nrpe +failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ + = ^%(__prefix_line)sConnection from closed. We don't support AF_INET6 addreess family in ACL\s*$ +ignoreregex =. + + +# DEV Notes: +# +# Author: Ivo Truxa - 2014/02/03 From dac4dd465e7da1f5b357613ef5695f2e91998129 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 21:51:49 +0100 Subject: [PATCH 3/8] ENH: Nagios filter added typical configuration settings for the nagios filter --- config/jail.conf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index 5dcce02cb..74d1e1d2a 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -758,3 +758,15 @@ action = iptables[name=SSH, port=ssh, protocol=tcp] blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s] logpath = /var/log/sshd.log maxretry = 20 + + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] +enabled = false +filter = nagios +action = iptables[name=Nagios, port=5666, protocol=tcp] + sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] +logpath = /var/log/messages ; nrpe.cfg may define a different log_facility +ignoreip = 123.12.123.12 ; your Nagios server +maxretry = 1 From a8a43e8f3804d1f398b7232a5269869114c17ec8 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 22:01:22 +0100 Subject: [PATCH 4/8] ENH: Nagios filter new filter Nagios added --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index ba31b47a9..a9126208e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on - filter pureftpd - added _daemon which got removed. Added - New Features: + - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) - Enhancements: - filter pureftpd - added all translations of "Authentication failed for From a71bb89ccd908bf16678e9cc436c0d317eb8f5a3 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 23:12:56 +0100 Subject: [PATCH 5/8] removing a dot (typo) The dot at the ignoregex did not belong there. Somehow it was added during the copying and pasting. Thanks for reporting it, I did not see it. Otherwise, empty ignoregexes are in all filters, and if they are missing, fail2ban client shows warnings when starting the filter, which I prefer avoiding. --- config/filter.d/nagios.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf index d01769cc2..283aa987e 100644 --- a/config/filter.d/nagios.conf +++ b/config/filter.d/nagios.conf @@ -13,7 +13,7 @@ before = common.conf _daemon = nrpe failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ = ^%(__prefix_line)sConnection from closed. We don't support AF_INET6 addreess family in ACL\s*$ -ignoreregex =. +ignoreregex = # DEV Notes: From f6ccd8878d80753e6b1f2f61b79ed702896e418f Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 23:27:19 +0100 Subject: [PATCH 6/8] date fix sorry, need to get some glasses --- testcases/files/logs/nagios | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testcases/files/logs/nagios b/testcases/files/logs/nagios index 9577b3276..cbeb0a873 100644 --- a/testcases/files/logs/nagios +++ b/testcases/files/logs/nagios @@ -1,4 +1,4 @@ -# Access of unauthorized host in /etc/messages -# failJSON: { "time": "2005-02-39T11:22:44", "match": true , "host": "50.97.225.132" } +# Access of unauthorized host in /var/log/messages +# failJSON: { "time": "2005-02-03T11:22:44", "match": true , "host": "50.97.225.132" } Feb 3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us! From f5f434f846550e14abbb1244a71bd729e8f033b4 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Thu, 6 Feb 2014 00:22:05 +0100 Subject: [PATCH 7/8] removing the second failregex The second failregex was supposed to catch an error concerning an ACL denial over IPv6, but this message is no more generated by the nrpe version (v2.15) that introduced the IPv6 support, so the first failregex seems to be sufficient. --- config/filter.d/nagios.conf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf index 283aa987e..0429d3ffc 100644 --- a/config/filter.d/nagios.conf +++ b/config/filter.d/nagios.conf @@ -3,19 +3,15 @@ # typically logged in /var/log/messages syslog # - [INCLUDES] # Read syslog common prefixes before = common.conf - [Definition] _daemon = nrpe failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ - = ^%(__prefix_line)sConnection from closed. We don't support AF_INET6 addreess family in ACL\s*$ ignoreregex = - # DEV Notes: # # Author: Ivo Truxa - 2014/02/03 From c207ad6058905992aab0b9584b7335ec2bd94a4b Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Thu, 6 Feb 2014 00:27:38 +0100 Subject: [PATCH 8/8] removing ignoreip at [nagios] I removed the ignoreip setting from the nagios section. As pointed out, it is redundant here. Nagios server, under normal circumstances should not trigger any access errors, and would be included in the global ignoreips anyway. --- config/jail.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 74d1e1d2a..ffbdf33e7 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -768,5 +768,4 @@ filter = nagios action = iptables[name=Nagios, port=5666, protocol=tcp] sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] logpath = /var/log/messages ; nrpe.cfg may define a different log_facility -ignoreip = 123.12.123.12 ; your Nagios server maxretry = 1