openmediavault-fail2ban first version now available for testing

pr_bond · 4. Juli 2016

Hi

I also use GLPI at work and I just wrote the filter.

Could you test ?

fail2ban-regex /opt/glpi/files/_log/event.log /etc/fail2ban/filter.d/glpi.conf

Add glpi.conf to /etc/fail2ban/filter.d

Code

# Fail2Ban filter for glpi
#


[Definition]


failregex = ^(\[login\]).*?(Failed login for).*?(IP).<HOST>.*?


ignoreregex = 


# DEV Notes:
#
# pattern : [login] 1: Failed login for user1 from IP ::ffff:70.33.11.00 2016-07-02 21:35:44 [@server]
#
# Author: Julien DARY

Alles anzeigen

Add to jail.conf

Code

[glpi]
enabled  = true
port     = http,https
filter   = glpi
logpath  = /opt/glpi/files/_log/event.log
maxretry = 6

tinh_x7 · 4. Juli 2016

I did the test, but it failed to ban.
It seem like it missing a date/time format in the filter.

Code

Use regex file : /etc/fail2ban/filter.d/glpi.conf
Use log file   : /opt/glpi/files/_log/event.log


Found a match for '[login] 1: Failed login for user1 from IP ::ffff:192.168.1.9
' but no valid date/time found for '[login] 1: Failed login for user1 from IP ::ffff:192.168.1.9
'. Please contact the author in order to get support for this format
Found a match for '[login] 1: Failed login for user1 from IP ::ffff:192.168.1.9
' but no valid date/time found for '[login] 1: Failed login for user1 from IP ::ffff:192.168.1.9
'. Please contact the author in order to get support for this format
Found a match for '[login] 1: Failed login for user1 from IP ::ffff:70.11.22.01
' but no valid date/time found for '[login] 1: Failed login for user1 from IP ::ffff:70.11.22.01
'. Please contact the author in order to get support for this format
Found a match for '[login] 1: Failed login for user1 from IP ::ffff:70.11.22.01
' but no valid date/time found for '[login] 1: Failed login for user1 from IP ::ffff:70.11.22.01
'. Please contact the author in order to get support for this format
Found a match for '[login] 1: Failed login for user1 from IP ::ffff:70.11.22.01
' but no valid date/time found for '[login] 1: Failed login for user1 from IP ::ffff:70.11.22.01
'. Please contact the author in order to get support for this format


Results
=======


Failregex
|- Regular expressions:
|  [1] ^(\[login\]).*?(Failed login for).*?(IP).<HOST>.*?
|
`- Number of matches:
   [1] 0 match(es)


Ignoreregex
|- Regular expressions:
|
`- Number of matches:


Summary
=======


Sorry, no match

Alles anzeigen

sieben · 2. August 2016

Hi,
I just wanted to suggest to include the 'whois' package to be installed with the fail2ban-plugin.

When the mail-setting is set to 'action_mwl' The whois information cannot be retrieved & shown inside the email.

Correct me if I'm wrong. I just encountered this issue personally.

Thanks!

pr_bond · 4. August 2016

@sieben
hi
you are right, I will add fix in the next version.

Envoyé de mon SM-N9005 en utilisant Tapatalk

tinh_x7 · 4. August 2016

@pr_bond,

Any update on the GLPI filter?

pr_bond · 5. September 2016

Source Code

# Fail2Ban filter for glpi
#
[Definition]
failregex = ^.*$^(\[login\]).*?(Failed login for).*?(IP).<HOST>.*?
ignoreregex =
# DEV Notes:
#
# pattern :
# 2016-07-28 21:44:19 [@server]
# [login] 1: Failed login for user1 from IP ::ffff:70.33.11.00 2016-07-02 21:35:44 [@server]
#
# Author: Julien DARY

Multiline is works with fail2ban verison < 0.9.0

tinh_x7 · 7. September 2016

I just tested.
It didn't work.

pr_bond · 7. September 2016

Yes you need fail2ban >9.0 to works...
For that you need to enable testing repo and install fail2ban 9.x

Fail2ban 8.x don't support multilines filter, your GLPI log file is on 2 lines, filter need multilines, my GLPI filter don't work with fail2ban 8.x.

I'am sorry

Envoyé de mon SM-N9005 en utilisant Tapatalk

tinh_x7 · 8. September 2016

You're fine.
I have testing repo enabled, but don't see the version 9.
I only seeing openmediavault-fail2ban 1.1.5.
Perhaps you're referring to the fail2ban from Github?

pr_bond · 8. September 2016

On debian 8 Jessie

Add into your /etc/apt/source.list
Source : http://www.binarytides.com/enable-testing-repo-debian/

Bash

# Testing repository - main, contrib and non-free branches
deb http://http.us.debian.org/debian testing main non-free contrib
deb-src http://http.us.debian.org/debian testing main non-free contrib

Bash

# apt-get update
# apt-get install fail2ban/testing
# $ fail2ban-client -V


#Fail2Ban v0.9.3
Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
Licensed under the GNU General Public License v2 (GPL).


Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.

Alles anzeigen

tinh_x7 · 8. September 2016

I'm on Debian Wheezy.

pr_bond · 8. September 2016

You could test and do the same on Wheezy ?

tinh_x7 · 8. September 2016

Do I need to uninstall the F2B plugin first though?

pr_bond · 8. September 2016

No need, omv-fail2ban works with any fail2ban, you may have message about version of file jail.conf, take new version, old version is saved.

Envoyé de mon SM-N9005 en utilisant Tapatalk

tinh_x7 · 10. September 2016

I added the repo, and try to download, but it said I already have the latest version.
It isn't.

Do I need to install this manually?

Code

ii  fail2ban                                                         0.8.6-3wheezy3                     all          ban hosts that cause multiple authentication errors
ii  openmediavault-fail2ban                                          1.1.5

pr_bond · 10. September 2016

Bash

root@openmediavault-test:/etc/apt# apt-get update
Ign file:  Release.gpg
Ign file:  Release                                                                               
Ign file:  Translation-fr_FR                                                                     
Ign file:  Translation-fr                                                                        
Ign file:  Translation-en                                                                        
Atteint http://debian.proxad.net wheezy Release.gpg                                              
Atteint http://packages.openmediavault.org stoneburner Release.gpg                               
Atteint http://debian.proxad.net wheezy-updates Release.gpg                                      
root@openmediavault-test:/etc/apt# apt-get install fail2ban/testing
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances       
Lecture des informations d'état... Fait
Version choisie « 0.9.3-1 » (Debian:testing [all]) pour « fail2ban »
Les paquets suivants ont été installés automatiquement et ne sont plus nécessaires :
  apparmor apt-transport-https aufs-tools beep clamav-base clamav-daemon clamav-freshclam
  collectd collectd-core cpufrequtils cron-apt davfs2 dbconfig-common dc debian-zfs dmeventd
  docker-engine fping gdisk glusterfs-client glusterfs-common greyhole hdparm hp-ppd
  ifenslave-2.6 intltool libaio1 libapparmor1 libaudio2 libcap-ng0 libchm1 libcpufreq0
  libdbd-mysql-perl libdbi-perl libdbi1 libdbus-glib-1-2 libfile-copy-recursive-perl libgd2-xpm
  libgssglue1 libgstreamer-plugins-base0.10-0 libgstreamer0.10-0 libjavascript-minifier-xs-perl
  libjs-extjs5 liblocale-po-perl liblvm2cmd2.02 liblz4-1 libmcrypt4 libmng1 libmtp-common
  libmtp9 libnss-ldap libonig2 libossp-uuid16 libpam-ldap libpodofo-utils libpodofo0.9.0
  libpoppler-glib8 libpq5 libqdbm14 libqt4-dbus libqt4-declarative libqt4-designer libqt4-help
  libqt4-network libqt4-script libqt4-scripttools libqt4-sql libqt4-svg libqt4-test libqt4-xml
  libqt4-xmlpatterns libqtassistantclient4 libqtcore4 libqtdbus4 libqtgui4 libqtwebkit4 librrd4
  libxml-parser-perl libxslt1.1 lvm2 mhddfs mysql-client-5.5 mysql-server mysql-server-5.5
  mysql-server-core-5.5 mywebsql nginx nginx-common nginx-full ntfs-3g owncloud php-json-schema
  php-pear php-xml-parser php5 php5-cgi php5-cli php5-common php5-curl php5-fpm php5-gd
  php5-intl php5-mcrypt php5-mysqlnd php5-pam php5-pgsql php5-proctitle php5-sqlite pm-utils
  postgresql-9.1 postgresql-client-9.1 postgresql-client-common postgresql-common
  printer-driver-foo2zjs printer-driver-splix proftpd-basic proftpd-mod-vroot python-apsw
  python-beautifulsoup python-central python-chm python-crypto python-cssutils python-cups
  python-daemon python-dateutil python-dbus python-dbus-dev python-django python-django-tagging
  python-dnspython python-lockfile python-lxml python-mechanize python-netifaces python-poppler
  python-psutil python-pyasn1 python-pypdf python-qt4 python-sip python-twisted
  python-twisted-conch python-twisted-lore python-twisted-mail python-twisted-names
  python-twisted-news python-twisted-runner python-twisted-words python3.2 python3.2-minimal
  qdbus quotatool rrdcached rrdtool samba sdparm shellinabox smartmontools snmpd socat sysstat
  tftpd-hpa update-inetd uuid wpasupplicant xmlstarlet
Veuillez utiliser « apt-get autoremove » pour les supprimer.
Les paquets supplémentaires suivants seront installés : 
  binutils dh-python dmeventd dmsetup keyutils libblkid1 libc-bin libc-dev-bin libc-l10n libc6
  libc6-dev libdb5.3 libdevmapper-event1.02.1 libdevmapper1.02.1 libgssapi-krb5-2 libk5crypto3
  libkeyutils1 libkrb5-3 libkrb5support0 liblvm2app2.2 liblvm2cmd2.02 libmpdec2 libncurses5
  libncursesw5 libpython3-stdlib libpython3.5-minimal libpython3.5-stdlib libssl1.0.2 libtinfo5
  libtirpc1 libudev1 locales lvm2 nfs-common nfs-kernel-server python3 python3-minimal python3.5
  python3.5-minimal
Paquets suggérés :
  binutils-doc glibc-doc krb5-doc krb5-user thin-provisioning-tools open-iscsi python3-doc
  python3-tk python3-venv python3.5-venv python3.5-doc binfmt-support
Paquets recommandés :
  whois python3-pyinotify python3-systemd manpages-dev krb5-locales libgpm2
Les paquets suivants seront ENLEVÉS :
  openmediavault openmediavault-autoshutdown openmediavault-calibre openmediavault-clamav
  openmediavault-cups openmediavault-deluge openmediavault-developer openmediavault-docker
  openmediavault-extplorer openmediavault-fail2ban openmediavault-greyhole openmediavault-ldap
  openmediavault-links openmediavault-lvm2 openmediavault-mysql openmediavault-nginx
  openmediavault-omvextrasorg openmediavault-owncloud openmediavault-postgresql
  openmediavault-remoteshare openmediavault-route openmediavault-sensors
  openmediavault-shellinabox openmediavault-unionfilesystems openmediavault-websites
  openmediavault-wordpress openmediavault-zfs python3-apt
Les NOUVEAUX paquets suivants seront installés :
  dh-python dmeventd keyutils libc-l10n libdb5.3 liblvm2cmd2.02 libmpdec2 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libssl1.0.2 libudev1 python3.5 python3.5-minimal
Les paquets suivants seront mis à jour :
  binutils dmsetup fail2ban libblkid1 libc-bin libc-dev-bin libc6 libc6-dev
  libdevmapper-event1.02.1 libdevmapper1.02.1 libgssapi-krb5-2 libk5crypto3 libkeyutils1
  libkrb5-3 libkrb5support0 liblvm2app2.2 libncurses5 libncursesw5 libtinfo5 libtirpc1 locales
  lvm2 nfs-common nfs-kernel-server python3 python3-minimal
26 mis à jour, 14 nouvellement installés, 28 à enlever et 639 non mis à jour.
Il est nécessaire de prendre 25,2 Mo dans les archives.
Après cette opération, 35,7 Mo d'espace disque supplémentaires seront utilisés.
Souhaitez-vous continuer [O/n] ? N


Non Non

Alles anzeigen

Hum i have test and you can't install testing version of fail2ban without make a lot of change ...

Test OMV3

tinh_x7 · 11. September 2016

I have a lot of software installed in my system.
I don't want to risk it.
I wait until I use OMV3 then.

Thanks.

happyreacer · 23. September 2016

@pr_bond i must do the installation from the fail2ban plugin on OMV3 manual? I have don't see the plugin in the plugin list.

pr_bond · 23. September 2016

For OMV3 you need to install plugin manually, i would like to be in plugin list, what i need to do for it ?

ryecoaaron · 23. September 2016

Zitat von pr_bond

i would like to be in plugin list, what i need to do for it ?

I wasn't sure if it was ready to be in the repo or not. So, just let me know.

openmediavault-fail2ban first version now available for testing

Jetzt mitmachen!

Tags