github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

INI highlighting

master
Serg G. Brester 2017-11-28 10:07:04 +01:00
parent e3319bc753
commit 66809c0552
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
How-to-ban-something-other-as-host-(IP-address),-like-user-or-mail,-etc..md

@ -5,17 +5,17 @@
* You should create your own `action` and specify there which command(s) should be executed by ban/unban
* Version 0.10 allows you to define failure-ID in `failregex`:
- use `<F-ID/>` for failure-ID as no-space tag (equivalent to `(?P<fid>\S+)`), example:
```
```INI
failregex = ^authentication failure; login=<F-ID/>
```
- use `<F-ID>...</F-ID>` for own regex contains failure-ID (equivalent to `(?P<fid>...)`), example:
```
```INI
failregex = ^authentication failure; login=<F-ID>[^@]+@\S+</F-ID/>
```
* In version 0.9 you should use `(?P<host>...)` to define failure-ID and implicitly reset all host-related features (e. g. dns resolving) for this jail, so define `usedns = raw`, `ignoreip =`, `ignorecommand =`
Example for test jail to ban users, config `jail.local`:
```bash
```INI
[test]
# don't use dns, because host group is not hostname (and not resolvable ip):
usedns = raw
@ -35,7 +35,7 @@ logpath = %(syslog_authpriv)s
enabled = true
```
For fail2ban version 0.9, you should define `failregex` like below:
```bash
```INI
[test]
...
# v. 0.9.5:
@ -43,7 +43,7 @@ failregex = ^\s*(?:\S+\s+)?(?:[^:]+:auth\[\d+\]:\s+)?pam_unix(?:\(\S+\))?:?\s+au
```
Action config file `action.d/test-ban-user.local`:
``` bash
```INI
[Definition]
actionstart =
actionstop =
@ -53,19 +53,19 @@ actionunban = echo 'unban f2b-<name> --user <ip>'
```
To test, the user "xxx" will be banned, just execute following commands (3 times if `maxretry = 3` for this jail):
``` bash
```bash
logger -t 'test:auth' -i -p auth.info "pam_unix(test:auth): authentication failure; login=xxx"
logger -t 'test:auth' -i -p auth.info "pam_unix(test:auth): authentication failure; login=xxx"
logger -t 'test:auth' -i -p auth.info "pam_unix(test:auth): authentication failure; login=xxx"
```
This should produce in `/var/log/auth.log` 3 entries like:
``` bash
```bash
Nov 14 20:07:35 srv test:auth[3141]: pam_unix(test:auth): authentication failure; login=xxx
```
To test regular expression, use new option `--raw` or `-r`, to prevent dns resolving errors:
``` bash
```bash
# v. 0.10:
fail2ban-regex --raw /var/log/auth.log '^\s*(?:\S+\s+)?(?:[^:]+:auth\[\d+\]:\s+)?pam_unix(?:\(\S+\))?:?\s+authentication failure; login=<F-ID/>'
# v. 0.9.5:
@ -80,7 +80,7 @@ fail2ban-regex --raw /var/log/auth.log '^\s*(?:\S+\s+)?(?:[^:]+:auth\[\d+\]:\s+)
If you've no failure-id at all (no user-id, e-mail or something other), but you'll that fail2ban execute some shell script after failure occurrence, you should additionally:
* set empty or something other as match for failure-id (still `<host>` in 0.9th-branch) in `failregex`, example:
``` bash
```INI
# DDOS resp. "too many IPs" will be used as failure-ID:
failregex = ^<F-ID>DDOS</F-ID> attack detected$
^IDS raises alarm: <F-ID>too many IPs</F-ID> in stack$
@ -88,7 +88,7 @@ failregex = ^<F-ID>DDOS</F-ID> attack detected$
* set `maxretry = 1` and `findtime = 1` (ban after first occurrence in 1 seconds);
* set small `bantime` (e. g. 1 second) to this "jail" (otherwise no "ban" action will be executed in this time, because "already banned" occurs), e. g. `bantime = 1`
* you need to specify only `actionban` parameter in your custom action file:
```bash
```INI
actionban = /user/bin/ids-attack.sh '<fid>'
```
* `actionban` script will be executed as root (or with user, fail2ban running), so use `su` if other/restricted user needed;