Tester et debuger des filtres Fail2ban

Sécurité

Tester et debuger des filtres Fail2ban

Par admin 3

Une commande sympa pour tester facilement des filtres fail2ban

fail2ban-regex

Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]

Fail2Ban v0.8.3-SVN reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

This tools can test regular expressions for "fail2ban".

Options:
-h, --help              display this help message
-V, --version           print the version

Log:
string                  a string representing a log line
filename                path to a log file (/var/log/auth.log)

Regex:
string                  a string representing a 'failregex'
filename                path to a filter file (filter.d/sshd.conf)

IgnoreRegex:
string                  a string representing an 'ignoreregex'
filename                path to a filter file (filter.d/sshd.conf)

un petit test avec le cas de robots à la recherche de failles à exploiter sur votre serveur web.

la commande à exécuter sera:

fail2ban-regex /var/log/apache2/default-error.log.1 /etc/fail2ban/filter.d/apache-nodnsuse.conf

Et si tout se passe bien elle nous renverra: 

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/apache-nodnsuse.conf
Use log file   : /var/log/apache2/default-error.log

Results
=======

Failregex
|- Regular expressions:
|  [1] [[]client []] File does not exist: /var/empty/.*
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.
xxxxx@xxxxx:~$ fail2ban-regex /var/log/apache2/default-error.log.1 /etc/fail2ban/filter.d/apache-nodnsuse.conf
/usr/share/fail2ban/server/filter.py:431: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/apache-nodnsuse.conf
Use log file   : /var/log/apache2/default-error.log.1

Results
=======

Failregex
|- Regular expressions:
|  [1] [[]client []] File does not exist: /var/empty/.*
|
`- Number of matches:
   [1] 20 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    72.55.156.243 (Sun Jun 06 14:18:32 2010)
    72.55.156.243 (Sun Jun 06 14:18:32 2010)
    72.55.156.243 (Sun Jun 06 14:18:33 2010)
    72.55.156.243 (Sun Jun 06 14:18:33 2010)
    72.55.156.243 (Sun Jun 06 14:32:00 2010)
    72.55.156.243 (Sun Jun 06 14:32:00 2010)
    72.55.156.243 (Sun Jun 06 14:32:01 2010)
    72.55.156.243 (Sun Jun 06 14:32:01 2010)
    72.55.156.243 (Sun Jun 06 14:32:01 2010)
    72.55.156.243 (Sun Jun 06 14:32:01 2010)
    72.55.156.243 (Sun Jun 06 15:19:52 2010)
    72.55.156.243 (Sun Jun 06 15:19:52 2010)
    72.55.156.243 (Sun Jun 06 15:19:52 2010)
    72.55.156.243 (Sun Jun 06 15:19:53 2010)
    72.55.156.243 (Sun Jun 06 15:19:53 2010)
    72.55.156.243 (Sun Jun 06 15:19:53 2010)
    88.80.10.1 (Sun Jun 06 22:02:12 2010)
    202.67.197.61 (Wed Jun 09 08:08:56 2010)
    61.153.150.170 (Fri Jun 11 13:39:20 2010)
    61.153.150.170 (Fri Jun 11 17:15:17 2010)

Date template hits:
41 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): 

Success, the total number of match is 20

However, look at the above section 'Running tests' which could contain important
information.

3 COMMENTAIRES

comments user
Dema2 from italy

Hi dear friend i use karmic koala and fail 2 ban for apache, but do not work i have this answer in shell when i test failregex

root@amed2:~# fail2ban-regex /var/log/apache2/default-error.log.1 /etc/fail2ban/filter.d/apache-nodnsuse.conf
/usr/share/fail2ban/server/filter.py:431: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5

Running tests
=============

Use regex line : /etc/fail2ban/filter.d/apache-nodnsuse.conf
Use single line: /var/log/apache2/default-error.log.1

No ‘host’ group in ‘/etc/fail2ban/filter.d/apache-nodnsuse.conf’
Cannot remove regular expression. Index 0 is not valid

Results
=======

Failregex
|- Regular expressions:
| [1] /etc/fail2ban/filter.d/apache-nodnsuse.conf
|
`- Number of matches:
[1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section ‘Running tests’ which could contain important
information.
root@amed2:~#

how can i resolve this thank in advantage to all, best regards dema2 italy

comments user
admin

Hi Dema2,
In my sample in use this regex file /etc/fail2ban/filter.d/apache-nodnsuse.conf
It is a custom filter and it is not provided by the default installation (I explain how i made apache-nodnsuse faill2ban here)
So I guess you are trying to test a regex file that don’t exist.

If you want to test regex directly from a stand installation you should try this instead
fail2ban-regex /var/log/apache2/default-error.log.1 /etc/fail2ban/filter.d/apache-auth.conf

apache-auth.conf is a standard filter provide a the default fail2ban install.

comments user
Cech

[Wed Jun 26 13:43:16 2013] [error] [client 188.194.180.249] (13)Permission denied: access to /docs/me..(etc)…
I had a problem to ban « Permission denied » in apache/error.log with the following line
failregex = [[]client []] (Permission denied)
since there was (13) that disqualified the regex.
Using
failregex = [[]client []] (\(13\)Permission denied)
solved the pb.