Regex Fail2ban Rule - regex

I wanted to test fail2ban but I'm hitting a problem. My trys with regex does not really works.
The username e.g. userxy which occurs in the the first line of the log and in the second line the IP Address must be blocked by fail2ban.
/etc/fail2ban/jail.conf
[Filter1]
enabled = true
filter = test
port = 12345
protocol = tcp
logpath = /var/etc/logs/auth.log
banaction = iptables-multiport
findtime = 1800
bantime = 3600
/var/etc/logs/auth.log
2018/09/21 20:45:13 ASDFDGFS c (trail) password for 'userxy' invalid!
2018/09/21 20:45:13 ASDFDGFS c (client) anonymous disconnected from 192.168.252.37
/etc/fail2ban/filter.d/test.conf
[Init]
maxlines = 2
[Definition]
failregex = ^.*userxy*\n.*anonymous disconnected from <HOST>.*$
ignoreregex =

Related

nslookup showing a lot of information

I am taking a CS course and we're looking into the nslookup command. When my instructor does it he gets only the non authoritative results. When I type it, I get a ton of info with the info I'm looking for based on the -type== option than I input hidden amongst it. Here's my output. is this normal?
I ran nslookup -type==NS starwars.com
main parsing starwars.com
addlookup()
make_empty_lookup()
make_empty_lookup() = 0x7f9118d9e000->references = 1
looking up starwars.com
lock_lookup dighost.c:4184
success
start_lookup()
setup_lookup(0x7f9118d9e000)
resetting lookup counter.
cloning server list
clone_server_list()
make_server(75.75.75.75)
make_server(75.75.76.76)
idn_textname: starwars.com
using root origin
recursive query
add_question()
starting to render the message
done rendering
create query 0x7f9117a2d000 linked to lookup 0x7f9118d9e000
dighost.c:2083:lookup_attach(0x7f9118d9e000) = 2
dighost.c:2587:new_query(0x7f9117a2d000) = 1
create query 0x7f9117a2d1c0 linked to lookup 0x7f9118d9e000
dighost.c:2083:lookup_attach(0x7f9118d9e000) = 3
dighost.c:2587:new_query(0x7f9117a2d1c0) = 1
do_lookup()
start_udp(0x7f9117a2d000)
dighost.c:2936:query_attach(0x7f9117a2d000) = 2
working on lookup 0x7f9118d9e000, query 0x7f9117a2d000
dighost.c:2981:query_attach(0x7f9117a2d000) = 3
unlock_lookup dighost.c:4186
dighost.c:2898:query_attach(0x7f9117a2d000) = 4
recving with lookup=0x7f9118d9e000, query=0x7f9117a2d000, handle=(nil)
recvcount=1
have local timeout of 5000
dighost.c:2847:query_attach(0x7f9117a2d000) = 5
sending a request
sendcount=1
dighost.c:1676:query_detach(0x7f9117a2d000) = 4
dighost.c:2918:query_detach(0x7f9117a2d000) = 3
send_done(0x7f9117a8d000, success, 0x7f9117a2d000)
sendcount=0
lock_lookup dighost.c:2615
success
dighost.c:2629:lookup_attach(0x7f9118d9e000) = 4
dighost.c:2648:query_detach(0x7f9117a2d000) = 2
dighost.c:2649:lookup_detach(0x7f9118d9e000) = 3
check_if_done()
list empty
unlock_lookup dighost.c:2652
recv_done(0x7f9117a8d000, success, 0x7f91187fa010, 0x7f9117a2d000)
lock_lookup dighost.c:3577
success
recvcount=0
dighost.c:3589:lookup_attach(0x7f9118d9e000) = 4
before parse starts
after parse
printmessage()
Server: 75.75.75.75
Address: 75.75.75.75#53
Non-authoritative answer:
printsection()
starwars.com nameserver = a28-65.akam.net.
starwars.com nameserver = a9-66.akam.net.
starwars.com nameserver = a13-67.akam.net.
starwars.com nameserver = a12-66.akam.net.
starwars.com nameserver = a18-64.akam.net.
starwars.com nameserver = a1-127.akam.net.
Authoritative answers can be found from:
printsection()
printsection()
a9-66.akam.net internet address = 184.85.248.66
a9-66.akam.net has AAAA address 2a02:26f0:117::42
a13-67.akam.net internet address = 2.22.230.67
a13-67.akam.net has AAAA address 2600:1480:800::43
a12-66.akam.net internet address = 184.26.160.66
a18-64.akam.net internet address = 95.101.36.64
a1-127.akam.net internet address = 193.108.91.127
a1-127.akam.net has AAAA address 2600:1401:2::7f
a28-65.akam.net internet address = 95.100.173.65
still pending.
dighost.c:4079:query_detach(0x7f9117a2d000) = 1
dighost.c:4081:_cancel_lookup()
dighost.c:2669:query_detach(0x7f9117a2d000) = 0
dighost.c:2669:destroy_query(0x7f9117a2d000) = 0
dighost.c:1634:lookup_detach(0x7f9118d9e000) = 3
dighost.c:2669:query_detach(0x7f9117a2d1c0) = 0
dighost.c:2669:destroy_query(0x7f9117a2d1c0) = 0
dighost.c:1634:lookup_detach(0x7f9118d9e000) = 2
check_if_done()
list empty
dighost.c:4087:lookup_detach(0x7f9118d9e000) = 1
clear_current_lookup()
dighost.c:1759:lookup_detach(0x7f9118d9e000) = 0
destroy_lookup
freeing server 0x7f9117a12000 belonging to 0x7f9118d9e000
freeing server 0x7f9117a12a00 belonging to 0x7f9118d9e000
start_lookup()
check_if_done()
list empty
shutting down
dighost_shutdown()
unlock_lookup dighost.c:4091
done, and starting to shut down
cancel_all()
lock_lookup dighost.c:4200
success
unlock_lookup dighost.c:4231
destroy_libs()
freeing task
lock_lookup dighost.c:4251
success
flush_server_list()
destroy DST lib
unlock_lookup dighost.c:4279
Removing log context
Destroy memory
Just seeing if this is the normal output, because on my instructors screen, he only gets the Authoritative and Non Authoritative sections.
Looks like it relates to this: https://bugs.kali.org/view.php?id=7522
Try adding -nod2 when you run the command.

Regexp for fail2ban (for xrdp.log)

in order to configure fail2ban for xrdp attacks, i need some help with regexp.
In /var/log/xrdp.log i can see :
[20201229-12:24:42] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:82.74.118.114 port 55267
So in jail.conf i add :
[rdp]
enabled = true
filter = rdp
action = iptables-multiport[name=rdp, port="3389,3390,3391", protocol=tcp]
logpath = /var/log/xrdp.log
maxretry = 5
And for the filter.d/rdp.conf i wrote :
[Definition]
failregex = connection received from ::ffff:<HOST> port
ignoreregex =
Obviously my regexp is bad...
Can someone help me ?
Thx
Your failregex is redundant because <HOST> is an alias for the pattern (?:::f{4,6}:)?(?P<host>\S+), which includes the ::ffff: part. Also the date format in your log isn't supported by the default date templates of fail2ban, so you must set a custom date pattern.
[Definition]
failregex = connection received from <HOST>
ignoreregex =
datepattern = %%Y%%m%%d-%%H:%%M:%%S
As a rule of thumb you should always test your date patterns and regex with the fail2ban-regex tool.

Error sending email using CDO on port 587 (TLS)

Is there any trick to sending mail with CDO on port 587 (the port that uses TLS security protocol)?
This is my C++ code:
CDO::IMessagePtr iMsg(__uuidof(CDO::Message));
CDO::IConfigurationPtr iConf = iMsg->GetConfiguration();
CDO::FieldsPtr iFields;
_bstr_t empty("");
iConf->Load(CDO::cdoIIS,empty); // this string constant from import
iFields = iConf->Fields;
iFields->Item["https://schemas.microsoft.com/cdo/configuration/smtpserver"]->Value = _variant_t(szServer);
iFields->Item["https://schemas.microsoft.com/cdo/configuration/smtpserverport"]->Value = _variant_t(587);
iFields->Item["https//schemas.microsoft.com/cdo/configuration/sendusing"]->Value = 2;
iFields->Item["https//schemas.microsoft.com/cdo/configuration/smtpauthenticate"]->Value = _variant_t(1); // Basic
iFields->Item["https//schemas.microsoft.com/cdo/configuration/sendusername"]->Value = _variant_t(szUser);
iFields->Item["https//schemas.microsoft.com/cdo/configuration/sendpassword"]->Value = _variant_t(szPassword);
if(iUseSSLTLS == 2)
iFields->Item["https//schemas.microsoft.com/cdo/configuration/sendtls"]->Value = _variant_t(true);
else
iFields->Item["https//schemas.microsoft.com/cdo/configuration/smtpusessl"]->Value = _variant_t(true);
iFields->Update();
etc... etc...
If I use this code with smtp.gmail.com:
server: smtp.gmail.com,
port: 587,
sndtls = true,
account: my gmail account,
password:
I obtain the following response:
Code = 8004020e,
Code meaning = Impossibile modificare o eliminare un oggetto che รจ stato aggiunto utilizzando COM+ Admin SDK,
Source = (null),
Description = Indirizzo del mittente respinto dal server. Risposta del server: 530 5.7.0 Must issue a STARTTLS command first. y2sm3575389wme.12 - gsmtp,
(sorry ... part of the message is in Italian language, but take a look at the bold/italic one)
Obviously, if I configure Outlook 2010 using the same parameters, it works perfectly.
One more thing, if I use port 465 and SSL:
server: smtp.gmail.com,
port: 465,
smtpusessl= true,
account: my gmail account,
password:
the code works fine, but I need to configure 587 port and TLS.
I eventually tried smtpusessl and sendtls together, setting them true:
iFields->Item["https//schemas.microsoft.com/cdo/configuration/sendtls"]->Value = _variant_t(true);
iFields->Item["https//schemas.microsoft.com/cdo/configuration/smtpusessl"]->Value = _variant_t(true);
And I obtain the following error:
Code = 80040213
Code meaning = IDispatch error #19
Source = CDO.Message.1
Description = The transport failed to connect to the server.
After over 2 years, I found a solution, well ... not a solution, but now I know why it didn't work, e why it will never work. It seems there's a bug in CDO library: it can handle STARTTLS command on port 25, but it can't on port 587.
You can read more here:
https://social.technet.microsoft.com/Forums/en-US/37d00342-e5e9-4c8d-975d-44362332d426/bug-in-cdomessage-smtpserverport-587-fails?forum=ITCG
As I've just written above, it's a bug and I think Microsoft will never correct it. The recommendation for the future is to abandon CDO and use "Power shell" or third-party components.

Create fail2ban custom rule for Apache2

I am trying to create a custom rule to ban users trying to log in too many times. Trigger is the word "CheckLogin" in the apache log file.
Log extract:
[03/Mar/2016:19:38:24 -0600] 186.77.136.133 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /CheckLogin HTTP/1.1" -
[03/Mar/2016:19:38:24 -0600] 186.77.136.133 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /Login?nok=badpassword HTTP/1.1" 10570
[03/Mar/2016:19:38:27 -0600] 186.77.136.133 TLSv1.2 ECDHE-RSA-AES128-
Current filter : /etc/fail2ban/filter.d/test.conf:
[INCLUDES]
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*CheckLogin".*$
ignoreregex =
Current jail.local:
# detect password authentication failures
[test-auth-ssl]
enabled = true
port = https
filter = test
logpath = /var/log/apache2/ssl_request_log
maxretry = 3
bantime = 36000 ; 10 hrs
findtime = 360 ;
[test-auth]
enabled = true
port = http
filter = test
logpath = /var/log/apache2/access_log
maxretry = 3
bantime = 36000 ; 10 hrs
findtime = 360 ;
Must be a tricky detail in the filter failregex, but I tried various option and none worked. I can restart fail2ban without error, but external IP used for testing is never banned (trigger deos not work).
Status for the jail: test-auth-ssl
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches:
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Got it !
Playing around with fail2ban-regex I finally found the solution.
/etc/fail2ban/filter.d/test.conf
[INCLUDES]
[Definition]
failregex = <HOST> .*CheckLogin.*$
ignoreregex =
Also in jail.local I have had to add backend=auto since it was using systemd by default

Fail2Ban regex for EXIM (TCP/IP connection count)

I am trying to create a regex condition for the exim filter of Fail2Ban. In my exim log, I have entries like this:
2014-11-27 17:09:05 SMTP connection from [42.117.255.244] (TCP/IP connection count = 1)
2014-11-27 17:09:14 SMTP connection from [118.68.249.18] (TCP/IP connection count = 2)
2014-11-27 17:09:15 SMTP connection from [113.188.85.220] (TCP/IP connection count = 3)
So I need a regex filter which analyzes the exim log, and if TCP/IP connection count > 3, then fail2ban will block that ip for the amount of time specified in fail2ban configuration.
What I have tried so far is something like this:
failregex = ^%(pid)s SMTP connection from \S+ [](:\d+)? (I=[\S+]:\d+ )?(TCP/IP connection count = "\S+")\s*$
but it fails ... I am not any good at regex so I need your help.
Thank you!
[ \S]+?SMTP connection from \S+? \(TCP\/IP connection count = (?!\b1\b|\b2\b|\b3\b)\d+\)
Try this.See demo.
http://regex101.com/r/hQ9xT1/10