#!/usr/bin/perl ########################################################################## # $Id: fail2ban 150 2013-06-18 22:19:38Z mtremaine $ ########################################################################## # $Log: fail2ban,v $ # # Revision 1.6 2014/08/11 16:07:46 yoh # Patches from Yaroslav Halchenko to match adjusted in 0.9.x lines. # Also reports now total number of hits (matches) along with Ban:Unban # and relaxed regular expressions for matching any log level # # Revision 1.5 2008/08/18 16:07:46 mike # Patches from Paul Gear -mgt # # Revision 1.4 2008/06/30 23:07:51 kirk # fixed copyright holders for files where I know who they should be # # Revision 1.3 2008/03/24 23:31:26 kirk # added copyright/license notice to each script # # Revision 1.2 2006/12/15 04:53:59 bjorn # Additional filtering, by Willi Mann. # # Revision 1.1 2006/05/30 19:04:26 bjorn # Added fail2ban service, written by Yaroslav Halchenko. # # Written by Yaroslav Halchenko for fail2ban # ########################################################################## ######################################################## ## Copyright (c) 2008 Yaroslav Halchenko ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use strict; use Logwatch ':all'; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my $IgnoreHost = $ENV{'sshd_ignore_host'} || ""; my $DebugCounter = 0; my $ReInitializations = 0; my @ActionsErrors = (); my @CommandsErrors = (); my $NotValidIP = 0; # reported invalid IPs number my @OtherList = (); my %ServicesBans = (); if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n"; $DebugCounter = 1; } while (defined(my $ThisLine = )) { if ( $Debug >= 5 ) { print STDERR "DEBUG($DebugCounter): $ThisLine"; $DebugCounter++; } chomp($ThisLine); if ( ($ThisLine =~ /..,... DEBUG: /) or ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban ($ThisLine =~ /..,... \S+: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or ($ThisLine =~ /\S+\s+rollover performed on/) or ($ThisLine =~ /\S+\s+Connected to .* persistent database/) or ($ThisLine =~ /\S+\s+Jail '.*' uses .*/) or ($ThisLine =~ /\S+\s+Initiated '.*' backend/) or ($ThisLine =~ /\S+\s+Jail .* is not a JournalFilter instance/) or ($ThisLine =~ /\S+\s+Log rotation detected for/) or ($ThisLine =~ /\S+\s+Jail.+(?:stopped|started|uses poller)/) or ($ThisLine =~ /\S+\s+Changed logging target to/) or ($ThisLine =~ /\S+\s+Creating new jail/) or ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban ($ThisLine =~ /..,... \S+: Verbose level is /) or ($ThisLine =~ /..,... \S+: Restoring firewall rules/) ) { if ( $Debug >= 6 ) { print STDERR "DEBUG($DebugCounter): line ignored\n"; } } elsif ( my ($LogLevel,$Service,$Action,$Host) = ($ThisLine =~ m/(WARNING|NOTICE):?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) { if ( $Debug >= 6 ) { print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n"; } $ServicesBans{$Service}{$Host}{$Action}++; $ServicesBans{$Service}{"(all)"}{$Action}++; } elsif ( my ($LogLevel,$Service,$Host) = ($ThisLine =~ m/(INFO|WARNING|NOTICE):?\s+\[?(.*?)[]:]?\sFound[^\.]* (\S+)/)) { if ( $Debug >= 6 ) { print STDERR "DEBUG($DebugCounter): Found hit for $Service from $Host\n"; } $ServicesBans{$Service}{$Host}{"Hit"}++; $ServicesBans{$Service}{"(all)"}{"Hit"}++; } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/\S+:\s+(\S+): (.+) has (\d+) login failure\(s\). Banned./)) { if ($Debug >= 4) { print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n"; } push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures; } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\s(\S+)\salready in ban list/)) { $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++; } elsif ( my ($Service,$Host) = ($ThisLine =~ m/\S+:?\s+\[?([^[]*?)[]:]?\s+(\S+)\salready banned/)) { if ( $Debug >= 6 ) { print STDERR "DEBUG($DebugCounter): Found hit for already banned $Host against $Service\n"; } $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++; } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\sReBan (\S+)/)) { $ServicesBans{$Service}{$Host}{'ReBan'}++; } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) { push @ActionsErrors, "$ThisLine\n"; } elsif ($ThisLine =~ / ERROR\s*Failed to execute.*action/) { push @ActionsErrors, "$ThisLine\n"; } elsif ($ThisLine =~ / WARNING Command \[.*\] has failed. Received/) { push @CommandsErrors, "$ThisLine\n"; } elsif ($ThisLine =~ /ERROR.*returned \d+$/) { push @ActionsErrors, "$ThisLine\n"; } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) { $ReInitializations++; } elsif ($ThisLine =~ /..,... WARNING: is not a valid IP address/) { # just ignore - this will be fixed within fail2ban and is harmless warning } else { # Report any unmatched entries... push @OtherList, "$ThisLine\n"; } } ########################################################### if (keys %ServicesBans) { printf("\nBanned services with Fail2Ban: Bans:Unbans:Hits\n"); foreach my $service (sort {$a cmp $b} keys %ServicesBans) { printf(" %-55s [%3d:%d:%-3d]\n", "$service:", $ServicesBans{$service}{'(all)'}{'Ban'}, $ServicesBans{$service}{'(all)'}{'Unban'}, $ServicesBans{$service}{'(all)'}{'Hit'}); delete $ServicesBans{$service}{'(all)'}; my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP); if ($Detail >= 5) { foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) { my $name = LookupIP($ip); printf(" %-53s %3d:%d:%-3d\n", $name, $ServicesBans{$service}{$ip}{'Ban'}, $ServicesBans{$service}{$ip}{'Unban'}, $ServicesBans{$service}{$ip}{'Hit'}); if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) { print " Failed "; foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) { print " $fails"; } print " times\n"; } if ($ServicesBans{$service}{$ip}{'AlreadyInTheList'}>0) { printf(" %d Duplicate Ban attempt(s)\n", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ; } if ($ServicesBans{$service}{$ip}{'ReBan'}>0) { printf(" %d ReBan(s) due to rules reinitilizations\n", $ServicesBans{$service}{$ip}{'ReBan'}) ; } } } } } if ($Detail>0) { if ($#ActionsErrors >= 0) { printf("\n%d faulty action invocation(s)", $#ActionsErrors+1); if ($Detail > 5) { print ":\n"; print @ActionsErrors ; } } if ($#CommandsErrors >= 0) { printf("\n%d faulty command invocation(s) from client(s)", $#CommandsErrors+1); if ($Detail > 5) { print ":\n"; print @CommandsErrors ; } } if ($ReInitializations > 0) { printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations); } if ($#OtherList >= 0) { print "\n**Unmatched Entries**\n"; print @OtherList; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: