From 29d0df58be4eba2cf7e241eb57a4d311dcff682a Mon Sep 17 00:00:00 2001 From: Artur Penttinen Date: Sun, 24 Mar 2013 16:52:58 +0200 Subject: [PATCH] Added support for MySQL logfiles --- config/filter.d/mysqld.conf | 32 ++++++++++++++++++++++++++++++++ config/jail.conf | 13 +++++++++++++ server/datedetector.py | 6 ++++++ 3 files changed, 51 insertions(+) create mode 100644 config/filter.d/mysqld.conf diff --git a/config/filter.d/mysqld.conf b/config/filter.d/mysqld.conf new file mode 100644 index 00000000..bc9164ce --- /dev/null +++ b/config/filter.d/mysqld.conf @@ -0,0 +1,32 @@ +# Fail2Ban configuration file +# +# Author: Artur Penttinen +# +# $Revision$ +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +#_daemon = mysqld + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) +failregex = Access denied for user '\w+'@'' + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 8bb1a6b6..d56de5d0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -331,6 +331,19 @@ action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] logpath = /var/log/asterisk/messages maxretry = 10 +# For log wrong MySQL access add to /etc/my.cnf: +# log-error=/var/log/mysqld.log +# log-warning = 2 +[mysqld-iptables] + +enabled = false +filter = mysqld +action = iptables[name=mysql, port=3306, protocol=tcp] + sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com] +logpath = /var/log/mysqld.log +maxretry = 5 + + # Jail for more extended banning of persistent abusers # !!! WARNING !!! # Make sure that your loglevel specified in fail2ban.conf/.local diff --git a/server/datedetector.py b/server/datedetector.py index c013d551..a54e072d 100644 --- a/server/datedetector.py +++ b/server/datedetector.py @@ -155,6 +155,12 @@ class DateDetector: template.setRegex("^<\d{2}/\d{2}/\d{2}@\d{2}:\d{2}:\d{2}>") template.setPattern("<%m/%d/%y@%H:%M:%S>") self._appendTemplate(template) + # MySQL: 130322 11:46:11 + template = DateStrptime() + template.setName("MonthDayYear Hour:Minute:Second") + template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}") + template.setPattern("%y%m%d %H:%M:%S") + self._appendTemplate(template) finally: self.__lock.release()