diff --git a/.travis.yml b/.travis.yml index 773c5f0b..8da3e0bb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,10 +5,14 @@ python: - "2.5" - "2.6" - "2.7" +before_install: + - sudo apt-get update -qq install: - pip install pyinotify - - if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then pip install -q coveralls; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then sudo apt-get install -qq python-gamin; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then pip install -q coveralls; fi script: - - if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then export PYTHONPATH="$PYTHONPATH:/usr/share/pyshared:/usr/lib/pyshared/python2.7"; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi after_script: - - if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then coveralls; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coveralls; fi diff --git a/.travis_coveragerc b/.travis_coveragerc index 4d4b7ebd..ac4a15d5 100644 --- a/.travis_coveragerc +++ b/.travis_coveragerc @@ -4,4 +4,3 @@ branch = True omit = /usr/* /home/travis/virtualenv/* - server/filtergamin.py diff --git a/config/filter.d/mysqld-auth.conf b/config/filter.d/mysqld-auth.conf new file mode 100644 index 00000000..197c8232 --- /dev/null +++ b/config/filter.d/mysqld-auth.conf @@ -0,0 +1,31 @@ +# Fail2Ban configuration file for unsuccesfull MySQL authentication attempts +# +# Authors: Artur Penttinen +# Yaroslav O. Halchenko +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +#_daemon = mysqld + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) +failregex = Access denied for user '\w+'@'' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 29af88c0..4399d0bd 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -345,6 +345,19 @@ action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] logpath = /var/log/asterisk/messages maxretry = 10 +# To log wrong MySQL access attempts add to /etc/my.cnf: +# log-error=/var/log/mysqld.log +# log-warning = 2 +[mysqld-iptables] + +enabled = false +filter = mysqld-auth +action = iptables[name=mysql, port=3306, protocol=tcp] + sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com] +logpath = /var/log/mysqld.log +maxretry = 5 + + # Jail for more extended banning of persistent abusers # !!! WARNING !!! # Make sure that your loglevel specified in fail2ban.conf/.local diff --git a/files/nagios/README b/files/nagios/README new file mode 100644 index 00000000..28e84495 --- /dev/null +++ b/files/nagios/README @@ -0,0 +1,104 @@ +Description +----------- +This plugin checks if the fail2ban server is running and how many IPs are currently banned. +You can use this plugin to monitor all the jails or just a specific jail. + + +How to use +---------- +Just have to run the following command: + $ ./check_fail2ban --help + +If you need to use this script with NRPE you just have to do the +following steps: + +1 allow your user to run the script with the sudo rights. Just add + something like that in your /etc/sudoers (use visudo) : + nagios ALL=(ALL) NOPASSWD: //check_fail2ban + +2 then just add this kind of line in your NRPE config file : + command[check_fail2ban]=/usr/bin/sudo //check_fail2ban + +3 don't forget to restart your NRPE daemon + +/!\ be careful to let no one able to update the check_fail2ban ;) +------------------------------------------------------------------------------ + + +Notes (from f2ban.txt) +----- +It seems that Fail2ban is currently not working, please login and check + +HELP: + +1.) stop the Service +/etc/init.d/fail2ban stop + +2.) delete the socket if available +rm /tmp/fail2ban.sock + +3.) start the Service +/etc/init.d/fail2ban start + +4.) check if fail2ban is working +fail2ban-client ping +Answer should be "pong" + +5.) if the answer is not "pong" run away or CRY FOR HELP ;-) + + +Help +---- + +Usage: //check_fail2ban [-p] [-D "CHECK FAIL2BAN ACTIVITY"] [-v] [-c 2] [-w 1] [-s //socket] [-P /usr/bin/fail2ban-client] + +Options: + -h, --help + Print detailed help screen + -V, --version + Print version information + -D, --display=STRING + To modify the output display + default is "CHECK FAIL2BAN ACTIVITY" + -P, --path-fail2ban_client=STRING + Specify the path to the tw_cli binary + default value is /usr/bin/fail2ban-client + -c, --critical=INT + Specify a critical threshold + default is 2 + -w, --warning=INT + Specify a warning threshold + default is 1 + -s, --socket=STRING + Specify a socket path + default is unset + -p, --perfdata + If you want to activate the perfdata output + -v, --verbose + Show details for command-line debugging (Nagios may truncate the output) + + +Example +------- + +# for a specific jail +$ ./check_fail2ban --verbose -p -j ssh -w 1 -c 5 -P /usr/bin/fail2ban-client +DEBUG : fail2ban_client_path: /usr/bin/fail2ban-client +DEBUG : /usr/bin/fail2ban-client exists and is executable +DEBUG : final fail2ban command: /usr/bin/fail2ban-client +DEBUG : warning threshold : 1, critical threshold : 5 +DEBUG : it seems the connection with the fail2ban server is ok +CHECK FAIL2BAN ACTIVITY - OK - 0 current banned IP(s) for the specific jail ssh | currentBannedIP=0 + +# for all the current jails +$ ./check_fail2ban --verbose -p -w 1 -c 5 -P /usr/bin/fail2ban-client +DEBUG : fail2ban_client_path: /usr/bin/fail2ban-client +DEBUG : /usr/bin/fail2ban-client exists and is executable +DEBUG : final fail2ban command: /usr/bin/fail2ban-client +DEBUG : warning threshold : 1, critical threshold : 5 +DEBUG : it seems the connection with the fail2ban server is ok +DEBUG : jails list: apache, ssh-ddos, ssh +DEBUG : the jail apache has currently 0 banned IPs +DEBUG : the jail ssh-ddos has currently 0 banned IPs +DEBUG : the jail ssh has currently 0 banned IPs +CHECK FAIL2BAN ACTIVITY - OK - 3 detected jails with 0 current banned IP(s) | currentBannedIP=0 diff --git a/files/nagios/check_fail2ban b/files/nagios/check_fail2ban index 2b38e8a9..77a63393 100755 --- a/files/nagios/check_fail2ban +++ b/files/nagios/check_fail2ban @@ -1,105 +1,346 @@ -#!/bin/bash +#!/usr/bin/perl + +# ------------------------------------------------------- +# -=- -=- +# ------------------------------------------------------- +# +# Description : This plugin checks if the fail2ban server is running +# and how many IPs are currently banned. +# +# +# inspired by the work of Sebastian Mueller - http://www.elchtest.eu +# +# +# Version : 0.1 +# ------------------------------------------------------- +# In : +# - see the How to use section # -# Usage: ./check_fail2ban -############################################################################################### -# Description: -# This plugin will check the status of Fail2ban. +# Out : +# - only print on the standard output # -# Created: 2008-10-25 (Sebastian Mueller) +# Features : +# - perfdata output +# - works with only a specific jail # -# Changes: 2008-10-26 fixed some issues (Sebastian Mueller) -# Changes: 2009-01-25 add the second check, when server is not replying and the -# process is hang-up (Sebastian Mueller) +# Fix Me/Todo : +# - too many things ;) but let me know what do you think about it # -# please visit my website http://www.elchtest.eu or my personal WIKI http://wiki.elchtest.eu +# #################################################################### + +# #################################################################### +# GPL v2 +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# #################################################################### + +# #################################################################### +# How to use : +# ------------ # -################################################################################################ -# if you have any questions, send a mail to linux@krabbe-offline.de +# Just have to run the following command: +# $ ./check_fail2ban --help +# +# If you need to use this script with NRPE you just have to do the +# following steps: # -# this script is for my personal use. read the script before running/using it!!! +# 1 allow your user to run the script with the sudo rights. Just add +# something like that in your /etc/sudoers (use visudo) : +# nagios ALL=(ALL) NOPASSWD: //check_fail2ban # +# 2 then just add this kind of line in your NRPE config file : +# command[check_fail2ban]=/usr/bin/sudo //check_fail2ban # -# YOU HAVE BEEN WARNED. THIS MAY DESTROY YOUR MACHINE. I ACCEPT NO RESPONSIBILITY. -############################################################################################### +# 3 don't forget to restart your NRPE daemon +# +# +# /!\ be careful to let no one able to update the check_fail2ban ;) +# ------------------------------------------------------------------------------ +# +# #################################################################### + +# #################################################################### +# Changelog : +# ----------- +# +# -------------------------------------------------------------------- +# Date:12/03/2013 Version:0.1 Author:Erwan Ben Souiden +# >> creation +# #################################################################### + +# #################################################################### +# Don't touch anything under this line! +# You shall not pass - Gandalf is watching you +# #################################################################### + +use strict; +use warnings; +use Getopt::Long qw(:config no_ignore_case); + +# Generic variables +# ----------------- +my $version = '0.1'; +my $author = 'Erwan Labynocle Ben Souiden'; +my $a_mail = 'erwan@aleikoum.net'; +my $script_name = 'check_fail2ban'; +my $verbose_value = 0; +my $version_value = 0; +my $more_value = 0; +my $help_value = 0; +my $perfdata_value = 0; +my %ERRORS=('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4); + +# Plugin default variables +# ------------------------ +my $display = 'CHECK FAIL2BAN ACTIVITY'; +my ($critical,$warning) = (2,1); +my $fail2ban_client_path = '/usr/bin/fail2ban-client'; +my $fail2ban_socket = ''; +my $jail_specific = ''; + +GetOptions ( + 'P=s' => \ $fail2ban_client_path, + 'path-fail2ban_client=s' => \ $fail2ban_client_path, + 'j=s' => \ $jail_specific, + 'jail=s' => \ $jail_specific, + 'w=i' => \ $warning, + 'warning=i' => \ $warning, + 'socket=s' => \ $fail2ban_socket, + 'S=s' => \ $fail2ban_socket, + 'c=i' => \ $critical, + 'critical=i' => \ $critical, + 'V' => \ $version_value, + 'version' => \ $version_value, + 'h' => \ $help_value, + 'H' => \ $help_value, + 'help' => \ $help_value, + 'display=s' => \ $display, + 'D=s' => \ $display, + 'perfdata' => \ $perfdata_value, + 'p' => \ $perfdata_value, + 'v' => \ $verbose_value, + 'verbose' => \ $verbose_value +); + +print_usage() if ($help_value); +print_version() if ($version_value); + + +# Syntax check of your specified options +# -------------------------------------- + +print "DEBUG : fail2ban_client_path: $fail2ban_client_path\n" if ($verbose_value); +if (($fail2ban_client_path eq "")) { + print $display.'- one or more following arguments are missing: fail2ban_client_path'."\n"; + exit $ERRORS{"UNKNOWN"}; +} + +if(! -x $fail2ban_client_path) { + print $display.' - '.$fail2ban_client_path.' is not executable by you'."\n"; + exit $ERRORS{"UNKNOWN"}; +} +print "DEBUG : $fail2ban_client_path exists and is executable\n" if ($verbose_value); + +my $fail2ban_cmd = $fail2ban_client_path; +$fail2ban_cmd .= " -s $fail2ban_socket" if ($fail2ban_socket); + +print "DEBUG : final fail2ban command: $fail2ban_cmd\n" if ($verbose_value); + +print "DEBUG : warning threshold : $warning, critical threshold : $critical\n" if ($verbose_value); +if (($critical < 0) or ($warning < 0) or ($critical < $warning)) { + print $display.' - the thresholds must be integers and the critical threshold higher or equal than the warning threshold'."\n"; + exit $ERRORS{"UNKNOWN"}; +} + +# Core script +# ----------- +my ($how_many_jail,$how_many_banned,$return_print,$plugstate) = (0,0,"","OK"); -SECOND_CHECK=0 -STATE_OK=0 -STATE_CRITICAL=2 +### Test the connection to the fail2ban server +my @command_output = `$fail2ban_cmd ping`; +my $return_code = $?; +if ($return_code) { + print $display.'CRITICAL - non-zero exit code during testing fail2ban-client ping, check if the server is running and if you have the good permissions'; + exit $ERRORS{"CRITICAL"}; +} +else { + print "DEBUG : it seems the connection with the fail2ban server is ok\n" if ($verbose_value); +} + + +### Only if you specify one jail +if ($jail_specific) { + my $current_ban_number = currently_ban("$fail2ban_cmd","$jail_specific"); + if ($current_ban_number == -1) { + print $display.' - CRITICAL - impossible to retrieve info about the jail '.$jail_specific; + exit $ERRORS{"CRITICAL"}; + } + else { + $how_many_banned = int($current_ban_number); + $return_print = $how_many_banned.' current banned IP(s) for the specific jail '.$jail_specific; + } +} +### To analyze all the jail +else { + # Retrieve the jails list + my @jail_list = obtain_jail_list("$fail2ban_cmd"); + if ($jail_list[0] eq "-1") { + print $display.' - CRITICAL - impossible to retrieve the jail list'."\n"; + exit $ERRORS{"CRITICAL"}; + } + + foreach (@jail_list) { + $how_many_jail ++; + + my $jail_name = $_; + $jail_name =~ tr/ //ds; + + my $current_ban_number = currently_ban("$fail2ban_cmd","$jail_name"); + if ($current_ban_number == -1) { + print "DEBUG : problem to parse the current banned IPs for jail $jail_name\n" if ($verbose_value); + } + else { + print "DEBUG : the jail $jail_name has currently $current_ban_number banned IPs\n" if ($verbose_value); + $how_many_banned += int($current_ban_number); + } + } + $return_print = $how_many_jail.' detected jails with '.$how_many_banned.' current banned IP(s)'; +} + +### Final +$plugstate = "CRITICAL" if ($how_many_banned >= $critical); +$plugstate = "WARNING" if (($how_many_banned >= $warning) && ($how_many_banned < $critical)); + +$return_print = $display." - ".$plugstate." - ".$return_print; +$return_print .= " | currentBannedIP=$how_many_banned" if ($perfdata_value); + +print $return_print; +exit $ERRORS{"$plugstate"}; + + +# #################################################################### +# function 1 : display the help +# ----------------------------- +sub print_usage { + print </$script_name [-p] [-D "$display"] [-v] [-c 2] [-w 1] [-s //socket] [-P /usr/bin/fail2ban-client] + +Options: + -h, --help + Print detailed help screen + -V, --version + Print version information + -D, --display=STRING + To modify the output display + default is "CHECK FAIL2BAN ACTIVITY" + -P, --path-fail2ban_client=STRING + Specify the path to the tw_cli binary + default value is /usr/bin/fail2ban-client + -c, --critical=INT + Specify a critical threshold + default is 2 + -w, --warning=INT + Specify a warning threshold + default is 1 + -s, --socket=STRING + Specify a socket path + default is unset + -p, --perfdata + If you want to activate the perfdata output + -v, --verbose + Show details for command-line debugging (Nagios may truncate the output) + +Send email to $a_mail if you have questions +regarding use of this software. To submit patches or suggest improvements, +send email to $a_mail +This plugin has been created by $author + +Hope you will enjoy it ;) + +Remember : + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + as published by the Free Software Foundation; either version 2 + of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +EOT + exit $ERRORS{"UNKNOWN"}; +} + +# function 2 : display version information +# ---------------------------------------- +sub print_version { + print </dev/null -do - sleep 1 - i=$i+1 -if [ $i -ge 10 ] - then - kill $pid - SECOND_CHECK=1 - exit_fail2ban=$STATE_CRITICAL - break -fi -done - -###################################################################### -# when the Server response (does not mean the FAIL2BAN is working) -# in the first step, then it will run again and test the Service -# and provide the real status -###################################################################### - - -if [ $SECOND_CHECK -eq 0 ]; then - check_processes_fail2ban - elif [ $SECOND_CHECK -eq 1 ]; then - exit_fail2ban=$STATE_CRITICAL -fi - - - -###################################################################### -# Main Menu -###################################################################### - - -final_exit=$exit_fail2ban -if [ $final_exit -eq 0 ]; then - echo "SYSTEM OK - Fail2ban is working normally" - exitstatus=$STATE_OK -elif [ $final_exit -ne "0" ]; then - echo "SYSTEM WARNING - Fail2Ban is not working" -###################################################################### -# If don't have a Nagios Server for monitoring, remove the comment and -# add your Mail Address. You can check it with a Cron Job once an hour. -# put a txt file on your server and describe how to fix the issue, this -# could be attached to the mail. -###################################################################### -# mutt -s "FAIL2BAN NOT WORKING" your@example.com < /home/f2ban.txt - - exitstatus=$STATE_CRITICAL -fi -exit $exitstatus diff --git a/files/nagios/f2ban.txt b/files/nagios/f2ban.txt deleted file mode 100644 index 0f048ff7..00000000 --- a/files/nagios/f2ban.txt +++ /dev/null @@ -1,18 +0,0 @@ -It seems that Fail2ban is currently not working, please login and check - -HELP: - -1.) stop the Service -/etc/init.d/fail2ban stop - -2.) delete the socket if available -rm /tmp/fail2ban.sock - -3.) start the Service -/etc/init.d/fail2ban start - -4.) check if fail2ban is working -fail2ban-client ping -Answer should be "pong" - -5.) if the answer is not "pong" run away or CRY FOR HELP ;-) diff --git a/server/datedetector.py b/server/datedetector.py index c013d551..a54e072d 100644 --- a/server/datedetector.py +++ b/server/datedetector.py @@ -155,6 +155,12 @@ class DateDetector: template.setRegex("^<\d{2}/\d{2}/\d{2}@\d{2}:\d{2}:\d{2}>") template.setPattern("<%m/%d/%y@%H:%M:%S>") self._appendTemplate(template) + # MySQL: 130322 11:46:11 + template = DateStrptime() + template.setName("MonthDayYear Hour:Minute:Second") + template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}") + template.setPattern("%y%m%d %H:%M:%S") + self._appendTemplate(template) finally: self.__lock.release() diff --git a/testcases/datedetectortestcase.py b/testcases/datedetectortestcase.py index 64af1fab..7c3c7140 100644 --- a/testcases/datedetectortestcase.py +++ b/testcases/datedetectortestcase.py @@ -84,6 +84,7 @@ class DateDetectorTest(unittest.TestCase): "2005-01-23T21:59:59.252Z", #ISO 8601 "2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ "<01/23/05@21:59:59>", + "050123 21:59:59", # MySQL ): log = sdate + "[sshd] error: PAM: Authentication failure" # exclude diff --git a/testcases/files/logs/mysqld.log b/testcases/files/logs/mysqld.log new file mode 100644 index 00000000..b3a73078 --- /dev/null +++ b/testcases/files/logs/mysqld.log @@ -0,0 +1,6 @@ +130324 0:04:00 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: NO) +130324 8:24:09 [Warning] Access denied for user 'root'@'220.95.238.171' (using password: NO) +130324 17:56:13 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: NO) +130324 17:56:14 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: YES) +130324 19:01:39 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: NO) +130324 19:01:40 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES)