github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into 0.9

Browse Source 
* master:
  ENH: for consistency (and future expansion ;)) -- rename to mysqld-auth
  Adjusting previous PR (MySQL logs) according to my comments
  TST: Add gamin testing for and only coveralls coverage for python2.7
  change the license to GPLv2 + adapat text
  TST: Add gamin support for Travis CI
  fix the script name to check_fail2ban everywhere
  Replace the check_fail2ban script by a new one which respects the Nagios specs (like status, output, perfdata, help...). Also add a README which includes the content of f2ban.txt (which is now removed)
  Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file.
  Added support for MySQL logfiles
pull/170/merge
Yaroslav Halchenko 12 years ago
parent e43fcc80db 99a5d78e37
commit ebfb9422d8
10 changed files with 500 additions and 113 deletions
Show Stats Download Patch File Download Diff File

10
.travis.yml
Unescape View File

@ -5,10 +5,14 @@ python:
- "2.5"
- "2.6"
- "2.7"
before_install:
- sudo apt-get update -qq
install:
- pip install pyinotify
- if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then pip install -q coveralls; fi
- if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then sudo apt-get install -qq python-gamin; fi
- if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then pip install -q coveralls; fi
script:
- if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi
- if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then export PYTHONPATH="$PYTHONPATH:/usr/share/pyshared:/usr/lib/pyshared/python2.7"; fi
- if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi
after_script:
- if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then coveralls; fi
- if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coveralls; fi

1
.travis_coveragerc
Unescape View File

@ -4,4 +4,3 @@ branch = True
omit =
/usr/*
/home/travis/virtualenv/*
server/filtergamin.py

31
config/filter.d/mysqld-auth.conf
Unescape View File

@ -0,0 +1,31 @@
# Fail2Ban configuration file for unsuccesfull MySQL authentication attempts
#
# Authors: Artur Penttinen
# Yaroslav O. Halchenko
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
#_daemon = mysqld
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
failregex = Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

13
config/jail.conf
Unescape View File

@ -345,6 +345,19 @@ action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
logpath = /var/log/asterisk/messages
maxretry = 10
# To log wrong MySQL access attempts add to /etc/my.cnf:
# log-error=/var/log/mysqld.log
# log-warning = 2
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath = /var/log/mysqld.log
maxretry = 5
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local

104
files/nagios/README
Unescape View File

@ -0,0 +1,104 @@
Description
-----------
This plugin checks if the fail2ban server is running and how many IPs are currently banned.
You can use this plugin to monitor all the jails or just a specific jail.
How to use
----------
Just have to run the following command:
$ ./check_fail2ban --help
If you need to use this script with NRPE you just have to do the
following steps:
1 allow your user to run the script with the sudo rights. Just add
something like that in your /etc/sudoers (use visudo) :
nagios ALL=(ALL) NOPASSWD: /<path-to>/check_fail2ban
2 then just add this kind of line in your NRPE config file :
command[check_fail2ban]=/usr/bin/sudo /<path-to>/check_fail2ban
3 don't forget to restart your NRPE daemon
/!\ be careful to let no one able to update the check_fail2ban ;)
------------------------------------------------------------------------------
Notes (from f2ban.txt)
-----
It seems that Fail2ban is currently not working, please login and check
HELP:
1.) stop the Service
/etc/init.d/fail2ban stop
2.) delete the socket if available
rm /tmp/fail2ban.sock
3.) start the Service
/etc/init.d/fail2ban start
4.) check if fail2ban is working
fail2ban-client ping
Answer should be "pong"
5.) if the answer is not "pong" run away or CRY FOR HELP ;-)
Help
----
Usage: /<path-to>/check_fail2ban [-p] [-D "CHECK FAIL2BAN ACTIVITY"] [-v] [-c 2] [-w 1] [-s /<path-to>/socket] [-P /usr/bin/fail2ban-client]
Options:
-h, --help
Print detailed help screen
-V, --version
Print version information
-D, --display=STRING
To modify the output display
default is "CHECK FAIL2BAN ACTIVITY"
-P, --path-fail2ban_client=STRING
Specify the path to the tw_cli binary
default value is /usr/bin/fail2ban-client
-c, --critical=INT
Specify a critical threshold
default is 2
-w, --warning=INT
Specify a warning threshold
default is 1
-s, --socket=STRING
Specify a socket path
default is unset
-p, --perfdata
If you want to activate the perfdata output
-v, --verbose
Show details for command-line debugging (Nagios may truncate the output)
Example
-------
# for a specific jail
$ ./check_fail2ban --verbose -p -j ssh -w 1 -c 5 -P /usr/bin/fail2ban-client
DEBUG : fail2ban_client_path: /usr/bin/fail2ban-client
DEBUG : /usr/bin/fail2ban-client exists and is executable
DEBUG : final fail2ban command: /usr/bin/fail2ban-client
DEBUG : warning threshold : 1, critical threshold : 5
DEBUG : it seems the connection with the fail2ban server is ok
CHECK FAIL2BAN ACTIVITY - OK - 0 current banned IP(s) for the specific jail ssh | currentBannedIP=0
# for all the current jails
$ ./check_fail2ban --verbose -p -w 1 -c 5 -P /usr/bin/fail2ban-client
DEBUG : fail2ban_client_path: /usr/bin/fail2ban-client
DEBUG : /usr/bin/fail2ban-client exists and is executable
DEBUG : final fail2ban command: /usr/bin/fail2ban-client
DEBUG : warning threshold : 1, critical threshold : 5
DEBUG : it seems the connection with the fail2ban server is ok
DEBUG : jails list: apache, ssh-ddos, ssh
DEBUG : the jail apache has currently 0 banned IPs
DEBUG : the jail ssh-ddos has currently 0 banned IPs
DEBUG : the jail ssh has currently 0 banned IPs
CHECK FAIL2BAN ACTIVITY - OK - 3 detected jails with 0 current banned IP(s) | currentBannedIP=0

423
files/nagios/check_fail2ban
Unescape View File

@ -1,105 +1,346 @@
#!/bin/bash
#!/usr/bin/perl
# -------------------------------------------------------
# -=- <check_fail2ban> -=-
# -------------------------------------------------------
#
# Description : This plugin checks if the fail2ban server is running
# and how many IPs are currently banned.
#
#
# inspired by the work of Sebastian Mueller - http://www.elchtest.eu
#
#
# Version : 0.1
# -------------------------------------------------------
# In :
# - see the How to use section
#
# Usage: ./check_fail2ban
###############################################################################################
# Description:
# This plugin will check the status of Fail2ban.
# Out :
# - only print on the standard output
#
# Created: 2008-10-25 (Sebastian Mueller)
# Features :
# - perfdata output
# - works with only a specific jail
#
# Changes: 2008-10-26 fixed some issues (Sebastian Mueller)
# Changes: 2009-01-25 add the second check, when server is not replying and the
# process is hang-up (Sebastian Mueller)
# Fix Me/Todo :
# - too many things ;) but let me know what do you think about it
#
# please visit my website http://www.elchtest.eu or my personal WIKI http://wiki.elchtest.eu
# ####################################################################
# ####################################################################
# GPL v2
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# ####################################################################
# ####################################################################
# How to use :
# ------------
#
################################################################################################
# if you have any questions, send a mail to linux@krabbe-offline.de
# Just have to run the following command:
# $ ./check_fail2ban --help
#
# If you need to use this script with NRPE you just have to do the
# following steps:
#
# this script is for my personal use. read the script before running/using it!!!
# 1 allow your user to run the script with the sudo rights. Just add
# something like that in your /etc/sudoers (use visudo) :
# nagios ALL=(ALL) NOPASSWD: /<path-to>/check_fail2ban
#
# 2 then just add this kind of line in your NRPE config file :
# command[check_fail2ban]=/usr/bin/sudo /<path-to>/check_fail2ban
#
# YOU HAVE BEEN WARNED. THIS MAY DESTROY YOUR MACHINE. I ACCEPT NO RESPONSIBILITY.
###############################################################################################
# 3 don't forget to restart your NRPE daemon
#
#
# /!\ be careful to let no one able to update the check_fail2ban ;)
# ------------------------------------------------------------------------------
#
# ####################################################################
# ####################################################################
# Changelog :
# -----------
#
# --------------------------------------------------------------------
# Date:12/03/2013 Version:0.1 Author:Erwan Ben Souiden
# >> creation
# ####################################################################
# ####################################################################
# Don't touch anything under this line!
# You shall not pass - Gandalf is watching you
# ####################################################################
use strict;
use warnings;
use Getopt::Long qw(:config no_ignore_case);
# Generic variables
# -----------------
my $version = '0.1';
my $author = 'Erwan Labynocle Ben Souiden';
my $a_mail = 'erwan@aleikoum.net';
my $script_name = 'check_fail2ban';
my $verbose_value = 0;
my $version_value = 0;
my $more_value = 0;
my $help_value = 0;
my $perfdata_value = 0;
my %ERRORS=('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4);
# Plugin default variables
# ------------------------
my $display = 'CHECK FAIL2BAN ACTIVITY';
my ($critical,$warning) = (2,1);
my $fail2ban_client_path = '/usr/bin/fail2ban-client';
my $fail2ban_socket = '';
my $jail_specific = '';
GetOptions (
'P=s' => \ $fail2ban_client_path,
'path-fail2ban_client=s' => \ $fail2ban_client_path,
'j=s' => \ $jail_specific,
'jail=s' => \ $jail_specific,
'w=i' => \ $warning,
'warning=i' => \ $warning,
'socket=s' => \ $fail2ban_socket,
'S=s' => \ $fail2ban_socket,
'c=i' => \ $critical,
'critical=i' => \ $critical,
'V' => \ $version_value,
'version' => \ $version_value,
'h' => \ $help_value,
'H' => \ $help_value,
'help' => \ $help_value,
'display=s' => \ $display,
'D=s' => \ $display,
'perfdata' => \ $perfdata_value,
'p' => \ $perfdata_value,
'v' => \ $verbose_value,
'verbose' => \ $verbose_value
);
print_usage() if ($help_value);
print_version() if ($version_value);
# Syntax check of your specified options
# --------------------------------------
print "DEBUG : fail2ban_client_path: $fail2ban_client_path\n" if ($verbose_value);
if (($fail2ban_client_path eq "")) {
print $display.'- one or more following arguments are missing: fail2ban_client_path'."\n";
exit $ERRORS{"UNKNOWN"};
}
if(! -x $fail2ban_client_path) {
print $display.' - '.$fail2ban_client_path.' is not executable by you'."\n";
exit $ERRORS{"UNKNOWN"};
}
print "DEBUG : $fail2ban_client_path exists and is executable\n" if ($verbose_value);
my $fail2ban_cmd = $fail2ban_client_path;
$fail2ban_cmd .= " -s $fail2ban_socket" if ($fail2ban_socket);
print "DEBUG : final fail2ban command: $fail2ban_cmd\n" if ($verbose_value);
print "DEBUG : warning threshold : $warning, critical threshold : $critical\n" if ($verbose_value);
if (($critical < 0) or ($warning < 0) or ($critical < $warning)) {
print $display.' - the thresholds must be integers and the critical threshold higher or equal than the warning threshold'."\n";
exit $ERRORS{"UNKNOWN"};
}
# Core script
# -----------
my ($how_many_jail,$how_many_banned,$return_print,$plugstate) = (0,0,"","OK");
SECOND_CHECK=0
STATE_OK=0
STATE_CRITICAL=2
### Test the connection to the fail2ban server
my @command_output = `$fail2ban_cmd ping`;
my $return_code = $?;
if ($return_code) {
print $display.'CRITICAL - non-zero exit code during testing fail2ban-client ping, check if the server is running and if you have the good permissions';
exit $ERRORS{"CRITICAL"};
}
else {
print "DEBUG : it seems the connection with the fail2ban server is ok\n" if ($verbose_value);
}
### Only if you specify one jail
if ($jail_specific) {
my $current_ban_number = currently_ban("$fail2ban_cmd","$jail_specific");
if ($current_ban_number == -1) {
print $display.' - CRITICAL - impossible to retrieve info about the jail '.$jail_specific;
exit $ERRORS{"CRITICAL"};
}
else {
$how_many_banned = int($current_ban_number);
$return_print = $how_many_banned.' current banned IP(s) for the specific jail '.$jail_specific;
}
}
### To analyze all the jail
else {
# Retrieve the jails list
my @jail_list = obtain_jail_list("$fail2ban_cmd");
if ($jail_list[0] eq "-1") {
print $display.' - CRITICAL - impossible to retrieve the jail list'."\n";
exit $ERRORS{"CRITICAL"};
}
foreach (@jail_list) {
$how_many_jail ++;
my $jail_name = $_;
$jail_name =~ tr/ //ds;
my $current_ban_number = currently_ban("$fail2ban_cmd","$jail_name");
if ($current_ban_number == -1) {
print "DEBUG : problem to parse the current banned IPs for jail $jail_name\n" if ($verbose_value);
}
else {
print "DEBUG : the jail $jail_name has currently $current_ban_number banned IPs\n" if ($verbose_value);
$how_many_banned += int($current_ban_number);
}
}
$return_print = $how_many_jail.' detected jails with '.$how_many_banned.' current banned IP(s)';
}
### Final
$plugstate = "CRITICAL" if ($how_many_banned >= $critical);
$plugstate = "WARNING" if (($how_many_banned >= $warning) && ($how_many_banned < $critical));
$return_print = $display." - ".$plugstate." - ".$return_print;
$return_print .= " | currentBannedIP=$how_many_banned" if ($perfdata_value);
print $return_print;
exit $ERRORS{"$plugstate"};
# ####################################################################
# function 1 : display the help
# -----------------------------
sub print_usage {
print <<EOT;
$script_name version $version by $author
This plugin checks if the fail2ban server is running and how many IPs are currently banned.
You can use this plugin to monitor all the jails or just a specific jail.
Usage: /<path-to>/$script_name [-p] [-D "$display"] [-v] [-c 2] [-w 1] [-s /<path-to>/socket] [-P /usr/bin/fail2ban-client]
Options:
-h, --help
Print detailed help screen
-V, --version
Print version information
-D, --display=STRING
To modify the output display
default is "CHECK FAIL2BAN ACTIVITY"
-P, --path-fail2ban_client=STRING
Specify the path to the tw_cli binary
default value is /usr/bin/fail2ban-client
-c, --critical=INT
Specify a critical threshold
default is 2
-w, --warning=INT
Specify a warning threshold
default is 1
-s, --socket=STRING
Specify a socket path
default is unset
-p, --perfdata
If you want to activate the perfdata output
-v, --verbose
Show details for command-line debugging (Nagios may truncate the output)
Send email to $a_mail if you have questions
regarding use of this software. To submit patches or suggest improvements,
send email to $a_mail
This plugin has been created by $author
Hope you will enjoy it ;)
Remember :
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
EOT
exit $ERRORS{"UNKNOWN"};
}
# function 2 : display version information
# ----------------------------------------
sub print_version {
print <<EOT;
$script_name version $version
EOT
exit $ERRORS{"UNKNOWN"};
}
# function 3 : return the jail list
# ---------------------------------
sub obtain_jail_list {
my ($fail2ban_client_path) = @_;
my @command_output = `$fail2ban_client_path status`;
my $return_code = $?;
if ($return_code) {
return -1;
}
my @jail_list;
foreach (@command_output) {
if ($_=~/^.*Jail list:\t+(.*)/) {
print "DEBUG : jails list: $1\n" if ($verbose_value);
@jail_list = split(/,/, $1);
}
}
return @jail_list;
}
######################################################################
# Read the Status from fail2ban-client
######################################################################
check_processes_fail2ban()
{
F2B=`sudo -u root fail2ban-client ping | awk -F " " '{print $3}'`
exit_fail2ban=0
# function 4 : return how many IP are currently ban for a given jail
# ------------------------------------------------------------------
sub currently_ban {
my ($fail2ban_client_path,$jail_name) = @_;
if [[ $F2B = "pong" ]]; then
exit_fail2ban=$STATE_OK
else
exit_fail2ban=$STATE_CRITICAL
fi
my @command_output = `$fail2ban_client_path status $jail_name`;
my $return_code = $?;
if ($return_code) {
return -1;
}
foreach (@command_output) {
if ($_=~/^.*Currently banned:\t+(.*)/) {
my $current_count = $1;
$current_count =~ tr/ //ds;
return $current_count;
}
}
return -1;
}
######################################################################
# first check in the Background, PID will be killed when no response
# after 10 seconds, might be possible, otherwise the script will be
# present in your memory all the time
######################################################################
check_processes_fail2ban &
pid=$!
typeset -i i=0
while ps $pid >/dev/null
do
sleep 1
i=$i+1
if [ $i -ge 10 ]
then
kill $pid
SECOND_CHECK=1
exit_fail2ban=$STATE_CRITICAL
break
fi
done
######################################################################
# when the Server response (does not mean the FAIL2BAN is working)
# in the first step, then it will run again and test the Service
# and provide the real status
######################################################################
if [ $SECOND_CHECK -eq 0 ]; then
check_processes_fail2ban
elif [ $SECOND_CHECK -eq 1 ]; then
exit_fail2ban=$STATE_CRITICAL
fi
######################################################################
# Main Menu
######################################################################
final_exit=$exit_fail2ban
if [ $final_exit -eq 0 ]; then
echo "SYSTEM OK - Fail2ban is working normally"
exitstatus=$STATE_OK
elif [ $final_exit -ne "0" ]; then
echo "SYSTEM WARNING - Fail2Ban is not working"
######################################################################
# If don't have a Nagios Server for monitoring, remove the comment and
# add your Mail Address. You can check it with a Cron Job once an hour.
# put a txt file on your server and describe how to fix the issue, this
# could be attached to the mail.
######################################################################
# mutt -s "FAIL2BAN NOT WORKING" your@example.com < /home/f2ban.txt
exitstatus=$STATE_CRITICAL
fi
exit $exitstatus

18
files/nagios/f2ban.txt
Unescape View File

@ -1,18 +0,0 @@
It seems that Fail2ban is currently not working, please login and check
HELP:
1.) stop the Service
/etc/init.d/fail2ban stop
2.) delete the socket if available
rm /tmp/fail2ban.sock
3.) start the Service
/etc/init.d/fail2ban start
4.) check if fail2ban is working
fail2ban-client ping
Answer should be "pong"
5.) if the answer is not "pong" run away or CRY FOR HELP ;-)

6
server/datedetector.py
Unescape View File

@ -155,6 +155,12 @@ class DateDetector:
template.setRegex("^<\d{2}/\d{2}/\d{2}@\d{2}:\d{2}:\d{2}>")
template.setPattern("<%m/%d/%y@%H:%M:%S>")
self._appendTemplate(template)
# MySQL: 130322 11:46:11
template = DateStrptime()
template.setName("MonthDayYear Hour:Minute:Second")
template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}")
template.setPattern("%y%m%d %H:%M:%S")
self._appendTemplate(template)
finally:
self.__lock.release()

1
testcases/datedetectortestcase.py
Unescape View File

@ -84,6 +84,7 @@ class DateDetectorTest(unittest.TestCase):
"2005-01-23T21:59:59.252Z", #ISO 8601
"2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ
"<01/23/05@21:59:59>",
"050123 21:59:59", # MySQL
):
log = sdate + "[sshd] error: PAM: Authentication failure"
# exclude

6
testcases/files/logs/mysqld.log
Unescape View File

@ -0,0 +1,6 @@
130324 0:04:00 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: NO)
130324 8:24:09 [Warning] Access denied for user 'root'@'220.95.238.171' (using password: NO)
130324 17:56:13 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: NO)
130324 17:56:14 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: YES)
130324 19:01:39 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: NO)
130324 19:01:40 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES)
Write Preview
Loading…
Cancel
Save