[SOLVED]Please insert the Logfiles, and more than 20 Signs

Antworten
rchtk
Beiträge: 3
Registriert: 11. Jun 2016, 13:42

[SOLVED]Please insert the Logfiles, and more than 20 Signs

Beitrag von rchtk » 13. Jun 2016, 22:12

Hi,

I'm trying to get fail2ban action to upload IPs to blocklist.de

But I'm not sure what's wrong with the logs parameter:

Code: Alles auswählen

curl --data-urlencode 'server=x' --data 'apikey=x' --data 'service=sshd' --data 'ip=12.34.56.78' --data-urlencode 'logs=Jun 10 00:19:34 myserver sshd[24570]: Invalid user arun from 12.34.56.78' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"

Code: Alles auswählen

logs: Please insert the Logfiles, and more than 20 Signs.<br />status: error<br />
Any advice welcome :idea:

Cheers
Zuletzt geändert von rchtk am 23. Jun 2016, 23:25, insgesamt 2-mal geändert.

Benutzeravatar
Martin
Beiträge: 397
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: Please insert the Logfiles, and more than 20 Signs

Beitrag von Martin » 13. Jun 2016, 22:53

Hello,

you need to upload/insert more Loglines, because with only 1 reject/failed-Login the false-positive-Rate is too high.
When you set the maxentry up to 3, then it is ok.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

rchtk
Beiträge: 3
Registriert: 11. Jun 2016, 13:42

Re: Please insert the Logfiles, and more than 20 Signs

Beitrag von rchtk » 16. Jun 2016, 21:00

Thanks for the quick reply.
You probably mean maxretry.

This is what I have in jail.conf:
[ssh-blocklist]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
blocklist_de[email="%(sender)s", apikey="eaDEADBEEF", service="%(filter)s"]
logpath = /var/log/sshd.log
maxretry = 20

The action script is
actionban = curl --fail --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode 'logs=<matches>' --data 'format=text' --use r-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"

So it looks like <matches> doesn't return all the lines? I have no idea where to look further.

Benutzeravatar
Martin
Beiträge: 397
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: Please insert the Logfiles, and more than 20 Signs

Beitrag von Martin » 17. Jun 2016, 13:20

Hi,

mhhh. How big is the "findtime" in the jail.local/jail.conf?
Work its, when you set findtime higher?

A other Workarround is, to change the command in the /etc/fail2ban/action.d/blocklist_de.conf to:

Code: Alles auswählen

actionban = curl --fail --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode 'logs=`grep -nri <ip> <logpath>`' --data 'format=text' --use r-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"
Then it should found all Loglines for $ip.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

rchtk
Beiträge: 3
Registriert: 11. Jun 2016, 13:42

[SOLVED] Re: Please insert the Logfiles, and more than 20 Si

Beitrag von rchtk » 23. Jun 2016, 23:25

Hi Martin,

Findtime was already changed from 600 to 1800

Using grep did the trick, it just required double quotes to allow the command substitution. I'm posting it here for reference:

Code: Alles auswählen

actionban = curl --fail --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode "logs=`grep -nrm 50 <ip> <logpath>`" --data 'format=text' --use r-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"
Thank you for your quick answers

Antworten