From 29d0df58be4eba2cf7e241eb57a4d311dcff682a Mon Sep 17 00:00:00 2001 From: Artur Penttinen Date: Sun, 24 Mar 2013 16:52:58 +0200 Subject: [PATCH 1/9] Added support for MySQL logfiles --- config/filter.d/mysqld.conf | 32 ++++++++++++++++++++++++++++++++ config/jail.conf | 13 +++++++++++++ server/datedetector.py | 6 ++++++ 3 files changed, 51 insertions(+) create mode 100644 config/filter.d/mysqld.conf diff --git a/config/filter.d/mysqld.conf b/config/filter.d/mysqld.conf new file mode 100644 index 00000000..bc9164ce --- /dev/null +++ b/config/filter.d/mysqld.conf @@ -0,0 +1,32 @@ +# Fail2Ban configuration file +# +# Author: Artur Penttinen +# +# $Revision$ +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +#_daemon = mysqld + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) +failregex = Access denied for user '\w+'@'' + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 8bb1a6b6..d56de5d0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -331,6 +331,19 @@ action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] logpath = /var/log/asterisk/messages maxretry = 10 +# For log wrong MySQL access add to /etc/my.cnf: +# log-error=/var/log/mysqld.log +# log-warning = 2 +[mysqld-iptables] + +enabled = false +filter = mysqld +action = iptables[name=mysql, port=3306, protocol=tcp] + sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com] +logpath = /var/log/mysqld.log +maxretry = 5 + + # Jail for more extended banning of persistent abusers # !!! WARNING !!! # Make sure that your loglevel specified in fail2ban.conf/.local diff --git a/server/datedetector.py b/server/datedetector.py index c013d551..a54e072d 100644 --- a/server/datedetector.py +++ b/server/datedetector.py @@ -155,6 +155,12 @@ class DateDetector: template.setRegex("^<\d{2}/\d{2}/\d{2}@\d{2}:\d{2}:\d{2}>") template.setPattern("<%m/%d/%y@%H:%M:%S>") self._appendTemplate(template) + # MySQL: 130322 11:46:11 + template = DateStrptime() + template.setName("MonthDayYear Hour:Minute:Second") + template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}") + template.setPattern("%y%m%d %H:%M:%S") + self._appendTemplate(template) finally: self.__lock.release() From edc0eb2a9c4518ca8e458564fd4429c2d4c4a115 Mon Sep 17 00:00:00 2001 From: Artur Penttinen Date: Mon, 25 Mar 2013 16:00:07 +0200 Subject: [PATCH 2/9] Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file. --- testcases/datedetectortestcase.py | 1 + testcases/files/logs/mysqld.log | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 testcases/files/logs/mysqld.log diff --git a/testcases/datedetectortestcase.py b/testcases/datedetectortestcase.py index 34ce22ce..5784387d 100644 --- a/testcases/datedetectortestcase.py +++ b/testcases/datedetectortestcase.py @@ -68,6 +68,7 @@ class DateDetectorTest(unittest.TestCase): "2005.01.23 21:59:59", "23/01/2005 21:59:59", "01-23-2005 21:59:59.252", # reported on f2b, causes Feb29 fix to break + "050123 21:59:59", # MySQL ): log = sdate + "[sshd] error: PAM: Authentication failure" # exclude diff --git a/testcases/files/logs/mysqld.log b/testcases/files/logs/mysqld.log new file mode 100644 index 00000000..8dfd6338 --- /dev/null +++ b/testcases/files/logs/mysqld.log @@ -0,0 +1,17 @@ +130323 21:14:28 [Warning] Access denied for user 'root'@'192.168.1.34' (using password: NO) +130324 0:04:00 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: NO) +130324 0:04:02 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) +130324 0:04:05 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) +130324 0:04:07 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) +130324 0:04:09 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) +130324 0:04:11 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) +130324 0:04:13 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) +130324 0:04:16 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) +130324 0:04:18 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) +130324 8:24:09 [Warning] Access denied for user 'root'@'220.95.238.171' (using password: NO) +130324 17:56:13 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: NO) +130324 17:56:14 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: YES) +130324 17:56:15 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: YES) +130324 19:01:39 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: NO) +130324 19:01:40 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES) +130324 19:01:41 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES) From d7d5228964baf589270f7f1ecdb83bcda0d6dac1 Mon Sep 17 00:00:00 2001 From: Erwan Ben Souiden Date: Tue, 26 Mar 2013 15:55:26 +0100 Subject: [PATCH 3/9] Replace the check_fail2ban script by a new one which respects the Nagios specs (like status, output, perfdata, help...). Also add a README which includes the content of f2ban.txt (which is now removed) --- files/nagios/README | 104 +++++++++ files/nagios/check_fail2ban | 422 ++++++++++++++++++++++++++++-------- files/nagios/f2ban.txt | 18 -- 3 files changed, 435 insertions(+), 109 deletions(-) create mode 100644 files/nagios/README delete mode 100644 files/nagios/f2ban.txt diff --git a/files/nagios/README b/files/nagios/README new file mode 100644 index 00000000..99ffc4e0 --- /dev/null +++ b/files/nagios/README @@ -0,0 +1,104 @@ +Description +----------- +This plugin checks if the fail2ban server is running and how many IPs are currently banned. +You can use this plugin to monitor all the jails or just a specific jail. + + +How to use +---------- +Just have to run the following command: + $ ./check_fail2ban_activity --help + +If you need to use this script with NRPE you just have to do the +following steps: + +1 allow your user to run the script with the sudo rights. Just add + something like that in your /etc/sudoers (use visudo) : + nagios ALL=(ALL) NOPASSWD: //check_fail2ban_activity + +2 then just add this kind of line in your NRPE config file : + command[check_fail2ban]=/usr/bin/sudo //check_fail2ban_activity + +3 don't forget to restart your NRPE daemon + +/!\ be careful to let no one able to update the check_fail2ban_activity ;) +------------------------------------------------------------------------------ + + +Notes (from f2ban.txt) +----- +It seems that Fail2ban is currently not working, please login and check + +HELP: + +1.) stop the Service +/etc/init.d/fail2ban stop + +2.) delete the socket if available +rm /tmp/fail2ban.sock + +3.) start the Service +/etc/init.d/fail2ban start + +4.) check if fail2ban is working +fail2ban-client ping +Answer should be "pong" + +5.) if the answer is not "pong" run away or CRY FOR HELP ;-) + + +Help +---- + +Usage: //check_fail2ban_activity [-p] [-D "CHECK FAIL2BAN ACTIVITY"] [-v] [-c 2] [-w 1] [-s //socket] [-P /usr/bin/fail2ban-client] + +Options: + -h, --help + Print detailed help screen + -V, --version + Print version information + -D, --display=STRING + To modify the output display + default is "CHECK FAIL2BAN ACTIVITY" + -P, --path-fail2ban_client=STRING + Specify the path to the tw_cli binary + default value is /usr/bin/fail2ban-client + -c, --critical=INT + Specify a critical threshold + default is 2 + -w, --warning=INT + Specify a warning threshold + default is 1 + -s, --socket=STRING + Specify a socket path + default is unset + -p, --perfdata + If you want to activate the perfdata output + -v, --verbose + Show details for command-line debugging (Nagios may truncate the output) + + +Example +------- + +# for a specific jail +$ ./check_fail2ban_activity --verbose -p -j ssh -w 1 -c 5 -P /usr/bin/fail2ban-client +DEBUG : fail2ban_client_path: /usr/bin/fail2ban-client +DEBUG : /usr/bin/fail2ban-client exists and is executable +DEBUG : final fail2ban command: /usr/bin/fail2ban-client +DEBUG : warning threshold : 1, critical threshold : 5 +DEBUG : it seems the connection with the fail2ban server is ok +CHECK FAIL2BAN ACTIVITY - OK - 0 current banned IP(s) for the specific jail ssh | currentBannedIP=0 + +# for all the current jails +$ ./check_fail2ban_activity --verbose -p -w 1 -c 5 -P /usr/bin/fail2ban-client +DEBUG : fail2ban_client_path: /usr/bin/fail2ban-client +DEBUG : /usr/bin/fail2ban-client exists and is executable +DEBUG : final fail2ban command: /usr/bin/fail2ban-client +DEBUG : warning threshold : 1, critical threshold : 5 +DEBUG : it seems the connection with the fail2ban server is ok +DEBUG : jails list: apache, ssh-ddos, ssh +DEBUG : the jail apache has currently 0 banned IPs +DEBUG : the jail ssh-ddos has currently 0 banned IPs +DEBUG : the jail ssh has currently 0 banned IPs +CHECK FAIL2BAN ACTIVITY - OK - 3 detected jails with 0 current banned IP(s) | currentBannedIP=0 diff --git a/files/nagios/check_fail2ban b/files/nagios/check_fail2ban index 2b38e8a9..01ff2dae 100755 --- a/files/nagios/check_fail2ban +++ b/files/nagios/check_fail2ban @@ -1,105 +1,345 @@ -#!/bin/bash +#!/usr/bin/perl + +# ------------------------------------------------------- +# -=- -=- +# ------------------------------------------------------- +# +# Description : This plugin checks if the fail2ban server is running +# and how many IPs are currently banned. +# +# +# inspired by the work of Sebastian Mueller - http://www.elchtest.eu +# +# +# Version : 0.1 +# ------------------------------------------------------- +# In : +# - see the How to use section # -# Usage: ./check_fail2ban -############################################################################################### -# Description: -# This plugin will check the status of Fail2ban. +# Out : +# - only print on the standard output # -# Created: 2008-10-25 (Sebastian Mueller) +# Features : +# - perfdata output +# - works with only a specific jail # -# Changes: 2008-10-26 fixed some issues (Sebastian Mueller) -# Changes: 2009-01-25 add the second check, when server is not replying and the -# process is hang-up (Sebastian Mueller) +# Fix Me/Todo : +# - too many things ;) but let me know what do you think about it # -# please visit my website http://www.elchtest.eu or my personal WIKI http://wiki.elchtest.eu +# #################################################################### + +# #################################################################### +# GPL v3 +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# #################################################################### + +# #################################################################### +# How to use : +# ------------ # -################################################################################################ -# if you have any questions, send a mail to linux@krabbe-offline.de +# Just have to run the following command: +# $ ./check_fail2ban_activity --help +# +# If you need to use this script with NRPE you just have to do the +# following steps: # -# this script is for my personal use. read the script before running/using it!!! +# 1 allow your user to run the script with the sudo rights. Just add +# something like that in your /etc/sudoers (use visudo) : +# nagios ALL=(ALL) NOPASSWD: //check_fail2ban_activity # +# 2 then just add this kind of line in your NRPE config file : +# command[check_fail2ban]=/usr/bin/sudo //check_fail2ban_activity # -# YOU HAVE BEEN WARNED. THIS MAY DESTROY YOUR MACHINE. I ACCEPT NO RESPONSIBILITY. -############################################################################################### +# 3 don't forget to restart your NRPE daemon +# +# +# /!\ be careful to let no one able to update the check_fail2ban_activity ;) +# ------------------------------------------------------------------------------ +# +# #################################################################### + +# #################################################################### +# Changelog : +# ----------- +# +# -------------------------------------------------------------------- +# Date:12/03/2013 Version:0.1 Author:Erwan Ben Souiden +# >> creation +# #################################################################### + +# #################################################################### +# Don't touch anything under this line! +# You shall not pass - Gandalf is watching you +# #################################################################### + +use strict; +use warnings; +use Getopt::Long qw(:config no_ignore_case); + +# Generic variables +# ----------------- +my $version = '0.1'; +my $author = 'Erwan Labynocle Ben Souiden'; +my $a_mail = 'erwan@aleikoum.net'; +my $script_name = 'check_fail2ban_activity'; +my $verbose_value = 0; +my $version_value = 0; +my $more_value = 0; +my $help_value = 0; +my $perfdata_value = 0; +my %ERRORS=('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4); + +# Plugin default variables +# ------------------------ +my $display = 'CHECK FAIL2BAN ACTIVITY'; +my ($critical,$warning) = (2,1); +my $fail2ban_client_path = '/usr/bin/fail2ban-client'; +my $fail2ban_socket = ''; +my $jail_specific = ''; + +GetOptions ( + 'P=s' => \ $fail2ban_client_path, + 'path-fail2ban_client=s' => \ $fail2ban_client_path, + 'j=s' => \ $jail_specific, + 'jail=s' => \ $jail_specific, + 'w=i' => \ $warning, + 'warning=i' => \ $warning, + 'socket=s' => \ $fail2ban_socket, + 'S=s' => \ $fail2ban_socket, + 'c=i' => \ $critical, + 'critical=i' => \ $critical, + 'V' => \ $version_value, + 'version' => \ $version_value, + 'h' => \ $help_value, + 'H' => \ $help_value, + 'help' => \ $help_value, + 'display=s' => \ $display, + 'D=s' => \ $display, + 'perfdata' => \ $perfdata_value, + 'p' => \ $perfdata_value, + 'v' => \ $verbose_value, + 'verbose' => \ $verbose_value +); + +print_usage() if ($help_value); +print_version() if ($version_value); + + +# Syntax check of your specified options +# -------------------------------------- + +print "DEBUG : fail2ban_client_path: $fail2ban_client_path\n" if ($verbose_value); +if (($fail2ban_client_path eq "")) { + print $display.'- one or more following arguments are missing: fail2ban_client_path'."\n"; + exit $ERRORS{"UNKNOWN"}; +} + +if(! -x $fail2ban_client_path) { + print $display.' - '.$fail2ban_client_path.' is not executable by you'."\n"; + exit $ERRORS{"UNKNOWN"}; +} +print "DEBUG : $fail2ban_client_path exists and is executable\n" if ($verbose_value); + +my $fail2ban_cmd = $fail2ban_client_path; +$fail2ban_cmd .= " -s $fail2ban_socket" if ($fail2ban_socket); + +print "DEBUG : final fail2ban command: $fail2ban_cmd\n" if ($verbose_value); + +print "DEBUG : warning threshold : $warning, critical threshold : $critical\n" if ($verbose_value); +if (($critical < 0) or ($warning < 0) or ($critical < $warning)) { + print $display.' - the thresholds must be integers and the critical threshold higher or equal than the warning threshold'."\n"; + exit $ERRORS{"UNKNOWN"}; +} + +# Core script +# ----------- +my ($how_many_jail,$how_many_banned,$return_print,$plugstate) = (0,0,"","OK"); -SECOND_CHECK=0 -STATE_OK=0 -STATE_CRITICAL=2 +### Test the connection to the fail2ban server +my @command_output = `$fail2ban_cmd ping`; +my $return_code = $?; +if ($return_code) { + print $display.'CRITICAL - non-zero exit code during testing fail2ban-client ping, check if the server is running and if you have the good permissions'; + exit $ERRORS{"CRITICAL"}; +} +else { + print "DEBUG : it seems the connection with the fail2ban server is ok\n" if ($verbose_value); +} + + +### Only if you specify one jail +if ($jail_specific) { + my $current_ban_number = currently_ban("$fail2ban_cmd","$jail_specific"); + if ($current_ban_number == -1) { + print $display.' - CRITICAL - impossible to retrieve info about the jail '.$jail_specific; + exit $ERRORS{"CRITICAL"}; + } + else { + $how_many_banned = int($current_ban_number); + $return_print = $how_many_banned.' current banned IP(s) for the specific jail '.$jail_specific; + } +} +### To analyze all the jail +else { + # Retrieve the jails list + my @jail_list = obtain_jail_list("$fail2ban_cmd"); + if ($jail_list[0] eq "-1") { + print $display.' - CRITICAL - impossible to retrieve the jail list'."\n"; + exit $ERRORS{"CRITICAL"}; + } + + foreach (@jail_list) { + $how_many_jail ++; + + my $jail_name = $_; + $jail_name =~ tr/ //ds; + + my $current_ban_number = currently_ban("$fail2ban_cmd","$jail_name"); + if ($current_ban_number == -1) { + print "DEBUG : problem to parse the current banned IPs for jail $jail_name\n" if ($verbose_value); + } + else { + print "DEBUG : the jail $jail_name has currently $current_ban_number banned IPs\n" if ($verbose_value); + $how_many_banned += int($current_ban_number); + } + } + $return_print = $how_many_jail.' detected jails with '.$how_many_banned.' current banned IP(s)'; +} + +### Final +$plugstate = "CRITICAL" if ($how_many_banned >= $critical); +$plugstate = "WARNING" if (($how_many_banned >= $warning) && ($how_many_banned < $critical)); + +$return_print = $display." - ".$plugstate." - ".$return_print; +$return_print .= " | currentBannedIP=$how_many_banned" if ($perfdata_value); + +print $return_print; +exit $ERRORS{"$plugstate"}; + + +# #################################################################### +# function 1 : display the help +# ----------------------------- +sub print_usage { + print </$script_name [-p] [-D "$display"] [-v] [-c 2] [-w 1] [-s //socket] [-P /usr/bin/fail2ban-client] + +Options: + -h, --help + Print detailed help screen + -V, --version + Print version information + -D, --display=STRING + To modify the output display + default is "CHECK FAIL2BAN ACTIVITY" + -P, --path-fail2ban_client=STRING + Specify the path to the tw_cli binary + default value is /usr/bin/fail2ban-client + -c, --critical=INT + Specify a critical threshold + default is 2 + -w, --warning=INT + Specify a warning threshold + default is 1 + -s, --socket=STRING + Specify a socket path + default is unset + -p, --perfdata + If you want to activate the perfdata output + -v, --verbose + Show details for command-line debugging (Nagios may truncate the output) + +Send email to $a_mail if you have questions +regarding use of this software. To submit patches or suggest improvements, +send email to $a_mail +This plugin has been created by $author + +Hope you will enjoy it ;) + +Remember : + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + +EOT + exit $ERRORS{"UNKNOWN"}; +} + +# function 2 : display version information +# ---------------------------------------- +sub print_version { + print </dev/null -do - sleep 1 - i=$i+1 -if [ $i -ge 10 ] - then - kill $pid - SECOND_CHECK=1 - exit_fail2ban=$STATE_CRITICAL - break -fi -done - -###################################################################### -# when the Server response (does not mean the FAIL2BAN is working) -# in the first step, then it will run again and test the Service -# and provide the real status -###################################################################### - - -if [ $SECOND_CHECK -eq 0 ]; then - check_processes_fail2ban - elif [ $SECOND_CHECK -eq 1 ]; then - exit_fail2ban=$STATE_CRITICAL -fi - - - -###################################################################### -# Main Menu -###################################################################### - - -final_exit=$exit_fail2ban -if [ $final_exit -eq 0 ]; then - echo "SYSTEM OK - Fail2ban is working normally" - exitstatus=$STATE_OK -elif [ $final_exit -ne "0" ]; then - echo "SYSTEM WARNING - Fail2Ban is not working" -###################################################################### -# If don't have a Nagios Server for monitoring, remove the comment and -# add your Mail Address. You can check it with a Cron Job once an hour. -# put a txt file on your server and describe how to fix the issue, this -# could be attached to the mail. -###################################################################### -# mutt -s "FAIL2BAN NOT WORKING" your@example.com < /home/f2ban.txt - - exitstatus=$STATE_CRITICAL -fi -exit $exitstatus diff --git a/files/nagios/f2ban.txt b/files/nagios/f2ban.txt deleted file mode 100644 index 0f048ff7..00000000 --- a/files/nagios/f2ban.txt +++ /dev/null @@ -1,18 +0,0 @@ -It seems that Fail2ban is currently not working, please login and check - -HELP: - -1.) stop the Service -/etc/init.d/fail2ban stop - -2.) delete the socket if available -rm /tmp/fail2ban.sock - -3.) start the Service -/etc/init.d/fail2ban start - -4.) check if fail2ban is working -fail2ban-client ping -Answer should be "pong" - -5.) if the answer is not "pong" run away or CRY FOR HELP ;-) From c4d92fba716d8c9d97f2e989103b66e575e7585f Mon Sep 17 00:00:00 2001 From: Erwan Ben Souiden Date: Tue, 26 Mar 2013 16:08:05 +0100 Subject: [PATCH 4/9] fix the script name to check_fail2ban everywhere --- files/nagios/README | 14 +++++++------- files/nagios/check_fail2ban | 12 ++++++------ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/files/nagios/README b/files/nagios/README index 99ffc4e0..28e84495 100644 --- a/files/nagios/README +++ b/files/nagios/README @@ -7,21 +7,21 @@ You can use this plugin to monitor all the jails or just a specific jail. How to use ---------- Just have to run the following command: - $ ./check_fail2ban_activity --help + $ ./check_fail2ban --help If you need to use this script with NRPE you just have to do the following steps: 1 allow your user to run the script with the sudo rights. Just add something like that in your /etc/sudoers (use visudo) : - nagios ALL=(ALL) NOPASSWD: //check_fail2ban_activity + nagios ALL=(ALL) NOPASSWD: //check_fail2ban 2 then just add this kind of line in your NRPE config file : - command[check_fail2ban]=/usr/bin/sudo //check_fail2ban_activity + command[check_fail2ban]=/usr/bin/sudo //check_fail2ban 3 don't forget to restart your NRPE daemon -/!\ be careful to let no one able to update the check_fail2ban_activity ;) +/!\ be careful to let no one able to update the check_fail2ban ;) ------------------------------------------------------------------------------ @@ -50,7 +50,7 @@ Answer should be "pong" Help ---- -Usage: //check_fail2ban_activity [-p] [-D "CHECK FAIL2BAN ACTIVITY"] [-v] [-c 2] [-w 1] [-s //socket] [-P /usr/bin/fail2ban-client] +Usage: //check_fail2ban [-p] [-D "CHECK FAIL2BAN ACTIVITY"] [-v] [-c 2] [-w 1] [-s //socket] [-P /usr/bin/fail2ban-client] Options: -h, --help @@ -82,7 +82,7 @@ Example ------- # for a specific jail -$ ./check_fail2ban_activity --verbose -p -j ssh -w 1 -c 5 -P /usr/bin/fail2ban-client +$ ./check_fail2ban --verbose -p -j ssh -w 1 -c 5 -P /usr/bin/fail2ban-client DEBUG : fail2ban_client_path: /usr/bin/fail2ban-client DEBUG : /usr/bin/fail2ban-client exists and is executable DEBUG : final fail2ban command: /usr/bin/fail2ban-client @@ -91,7 +91,7 @@ DEBUG : it seems the connection with the fail2ban server is ok CHECK FAIL2BAN ACTIVITY - OK - 0 current banned IP(s) for the specific jail ssh | currentBannedIP=0 # for all the current jails -$ ./check_fail2ban_activity --verbose -p -w 1 -c 5 -P /usr/bin/fail2ban-client +$ ./check_fail2ban --verbose -p -w 1 -c 5 -P /usr/bin/fail2ban-client DEBUG : fail2ban_client_path: /usr/bin/fail2ban-client DEBUG : /usr/bin/fail2ban-client exists and is executable DEBUG : final fail2ban command: /usr/bin/fail2ban-client diff --git a/files/nagios/check_fail2ban b/files/nagios/check_fail2ban index 01ff2dae..148c92d5 100755 --- a/files/nagios/check_fail2ban +++ b/files/nagios/check_fail2ban @@ -1,7 +1,7 @@ #!/usr/bin/perl # ------------------------------------------------------- -# -=- -=- +# -=- -=- # ------------------------------------------------------- # # Description : This plugin checks if the fail2ban server is running @@ -49,22 +49,22 @@ # ------------ # # Just have to run the following command: -# $ ./check_fail2ban_activity --help +# $ ./check_fail2ban --help # # If you need to use this script with NRPE you just have to do the # following steps: # # 1 allow your user to run the script with the sudo rights. Just add # something like that in your /etc/sudoers (use visudo) : -# nagios ALL=(ALL) NOPASSWD: //check_fail2ban_activity +# nagios ALL=(ALL) NOPASSWD: //check_fail2ban # # 2 then just add this kind of line in your NRPE config file : -# command[check_fail2ban]=/usr/bin/sudo //check_fail2ban_activity +# command[check_fail2ban]=/usr/bin/sudo //check_fail2ban # # 3 don't forget to restart your NRPE daemon # # -# /!\ be careful to let no one able to update the check_fail2ban_activity ;) +# /!\ be careful to let no one able to update the check_fail2ban ;) # ------------------------------------------------------------------------------ # # #################################################################### @@ -92,7 +92,7 @@ use Getopt::Long qw(:config no_ignore_case); my $version = '0.1'; my $author = 'Erwan Labynocle Ben Souiden'; my $a_mail = 'erwan@aleikoum.net'; -my $script_name = 'check_fail2ban_activity'; +my $script_name = 'check_fail2ban'; my $verbose_value = 0; my $version_value = 0; my $more_value = 0; From b0a08b9790726312d1a4fa7ce7b4cf5d1592651b Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sat, 30 Mar 2013 18:17:01 +0000 Subject: [PATCH 5/9] TST: Add gamin support for Travis CI --- .travis.yml | 3 +++ .travis_coveragerc | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 773c5f0b..75b7ce4d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,8 +5,11 @@ python: - "2.5" - "2.6" - "2.7" +before_install: + - sudo apt-get update -qq install: - pip install pyinotify + - sudo apt-get install -qq python-gamin - if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then pip install -q coveralls; fi script: - if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi diff --git a/.travis_coveragerc b/.travis_coveragerc index 4d4b7ebd..ac4a15d5 100644 --- a/.travis_coveragerc +++ b/.travis_coveragerc @@ -4,4 +4,3 @@ branch = True omit = /usr/* /home/travis/virtualenv/* - server/filtergamin.py From 44736035bda2f34d5a91cb9e1f1f3475902bd1e3 Mon Sep 17 00:00:00 2001 From: Erwan Ben Souiden Date: Tue, 2 Apr 2013 09:49:44 +0200 Subject: [PATCH 6/9] change the license to GPLv2 + adapat text --- files/nagios/check_fail2ban | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/files/nagios/check_fail2ban b/files/nagios/check_fail2ban index 148c92d5..77a63393 100755 --- a/files/nagios/check_fail2ban +++ b/files/nagios/check_fail2ban @@ -29,19 +29,20 @@ # #################################################################### # #################################################################### -# GPL v3 -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. - +# GPL v2 +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # #################################################################### # #################################################################### @@ -274,10 +275,10 @@ This plugin has been created by $author Hope you will enjoy it ;) Remember : - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + as published by the Free Software Foundation; either version 2 + of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -285,8 +286,8 @@ Remember : GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program. If not, see . - + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. EOT exit $ERRORS{"UNKNOWN"}; From 47c54ba293448c73fd3c9928d41472d1264128fa Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sat, 6 Apr 2013 11:08:07 +0100 Subject: [PATCH 7/9] TST: Add gamin testing for and only coveralls coverage for python2.7 --- .travis.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 75b7ce4d..8da3e0bb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,9 +9,10 @@ before_install: - sudo apt-get update -qq install: - pip install pyinotify - - sudo apt-get install -qq python-gamin - - if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then pip install -q coveralls; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then sudo apt-get install -qq python-gamin; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then pip install -q coveralls; fi script: - - if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then export PYTHONPATH="$PYTHONPATH:/usr/share/pyshared:/usr/lib/pyshared/python2.7"; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi after_script: - - if [[ $TRAVIS_PYTHON_VERSION == 2.[6-7] ]]; then coveralls; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coveralls; fi From ffaa9697eeab80f40df7d2fd449cb619d55e0a84 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 9 Apr 2013 17:59:45 -0400 Subject: [PATCH 8/9] Adjusting previous PR (MySQL logs) according to my comments --- config/filter.d/mysqld.conf | 9 ++++----- testcases/files/logs/mysqld.log | 11 ----------- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/config/filter.d/mysqld.conf b/config/filter.d/mysqld.conf index bc9164ce..197c8232 100644 --- a/config/filter.d/mysqld.conf +++ b/config/filter.d/mysqld.conf @@ -1,8 +1,7 @@ -# Fail2Ban configuration file +# Fail2Ban configuration file for unsuccesfull MySQL authentication attempts # -# Author: Artur Penttinen -# -# $Revision$ +# Authors: Artur Penttinen +# Yaroslav O. Halchenko # [INCLUDES] @@ -23,7 +22,7 @@ before = common.conf # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) -failregex = Access denied for user '\w+'@'' +failregex = Access denied for user '\w+'@'' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/testcases/files/logs/mysqld.log b/testcases/files/logs/mysqld.log index 8dfd6338..b3a73078 100644 --- a/testcases/files/logs/mysqld.log +++ b/testcases/files/logs/mysqld.log @@ -1,17 +1,6 @@ -130323 21:14:28 [Warning] Access denied for user 'root'@'192.168.1.34' (using password: NO) 130324 0:04:00 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: NO) -130324 0:04:02 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) -130324 0:04:05 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) -130324 0:04:07 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) -130324 0:04:09 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) -130324 0:04:11 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) -130324 0:04:13 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) -130324 0:04:16 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) -130324 0:04:18 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: YES) 130324 8:24:09 [Warning] Access denied for user 'root'@'220.95.238.171' (using password: NO) 130324 17:56:13 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: NO) 130324 17:56:14 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: YES) -130324 17:56:15 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: YES) 130324 19:01:39 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: NO) 130324 19:01:40 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES) -130324 19:01:41 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES) From 99a5d78e3766cd8cf247a047611cfb293426af82 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 9 Apr 2013 18:03:34 -0400 Subject: [PATCH 9/9] ENH: for consistency (and future expansion ;)) -- rename to mysqld-auth --- config/filter.d/{mysqld.conf => mysqld-auth.conf} | 0 config/jail.conf | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename config/filter.d/{mysqld.conf => mysqld-auth.conf} (100%) diff --git a/config/filter.d/mysqld.conf b/config/filter.d/mysqld-auth.conf similarity index 100% rename from config/filter.d/mysqld.conf rename to config/filter.d/mysqld-auth.conf diff --git a/config/jail.conf b/config/jail.conf index 4c1528f1..4399d0bd 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -345,13 +345,13 @@ action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] logpath = /var/log/asterisk/messages maxretry = 10 -# For log wrong MySQL access add to /etc/my.cnf: +# To log wrong MySQL access attempts add to /etc/my.cnf: # log-error=/var/log/mysqld.log # log-warning = 2 [mysqld-iptables] enabled = false -filter = mysqld +filter = mysqld-auth action = iptables[name=mysql, port=3306, protocol=tcp] sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com] logpath = /var/log/mysqld.log