Merge branch 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban

* 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban: Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file. Added support for MySQL logfiles Conflicts: testcases/datedetectortestcase.py -- conflictde with other added test cases
2013-04-09 17:55:14 -04:00 · 2013-04-09 17:55:14 -04:00 · 3e6be243bf
parent 4fb06170f1 edc0eb2a9c
commit 3e6be243bf
5 changed files with 69 additions and 0 deletions
--- a/config/filter.d/mysqld.conf
+++ b/config/filter.d/mysqld.conf
@ -0,0 +1,32 @@
+# Fail2Ban configuration file
+#
+# Author: Artur Penttinen
+#
+# $Revision$
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+#_daemon = mysqld
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
+failregex = Access denied for user '\w+'@'<HOST>'
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- a/config/jail.conf
+++ b/config/jail.conf
@ -345,6 +345,19 @@ action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
 logpath  = /var/log/asterisk/messages
 maxretry = 10

+# For log wrong MySQL access add to /etc/my.cnf:
+# log-error=/var/log/mysqld.log
+# log-warning = 2
+[mysqld-iptables]
+
+enabled  = false
+filter   = mysqld
+action   = iptables[name=mysql, port=3306, protocol=tcp]
+           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
+logpath  = /var/log/mysqld.log
+maxretry = 5
+
+
 # Jail for more extended banning of persistent abusers
 # !!! WARNING !!!
 #   Make sure that your loglevel specified in fail2ban.conf/.local
--- a/server/datedetector.py
+++ b/server/datedetector.py
@ -155,6 +155,12 @@ class DateDetector:
 			template.setRegex("^<\d{2}/\d{2}/\d{2}@\d{2}:\d{2}:\d{2}>")
 			template.setPattern("<%m/%d/%y@%H:%M:%S>")
 			self._appendTemplate(template)
+			# MySQL: 130322 11:46:11
+			template = DateStrptime()
+			template.setName("MonthDayYear Hour:Minute:Second")
+			template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}")
+			template.setPattern("%y%m%d %H:%M:%S")
+			self._appendTemplate(template)
 		finally:
 			self.__lock.release()
 	
--- a/testcases/datedetectortestcase.py
+++ b/testcases/datedetectortestcase.py
@ -84,6 +84,7 @@ class DateDetectorTest(unittest.TestCase):
 			"2005-01-23T21:59:59.252Z", #ISO 8601
 			"2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ
 			"<01/23/05@21:59:59>",
+			"050123 21:59:59", # MySQL
 			):
 			log = sdate + "[sshd] error: PAM: Authentication failure"
 			# exclude
--- a/testcases/files/logs/mysqld.log
+++ b/testcases/files/logs/mysqld.log
@ -0,0 +1,17 @@
+130323 21:14:28 [Warning] Access denied for user 'root'@'192.168.1.34' (using password: NO)
+130324  0:04:00 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: NO)
+130324  0:04:02 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES)
+130324  0:04:05 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES)
+130324  0:04:07 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES)
+130324  0:04:09 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES)
+130324  0:04:11 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES)
+130324  0:04:13 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES)
+130324  0:04:16 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES)
+130324  0:04:18 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES)
+130324  8:24:09 [Warning] Access denied for user 'root'@'220.95.238.171' (using password: NO)
+130324 17:56:13 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: NO)
+130324 17:56:14 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: YES)
+130324 17:56:15 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: YES)
+130324 19:01:39 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: NO)
+130324 19:01:40 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES)
+130324 19:01:41 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES)