Mercurial > repos > other > Puppet

annotate common/logwatch/services-fail2ban @ 192:893391e42d94 puppet-3.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update logwatch fail2ban handling for v0.10 log changes * Ignore "Flush tickets" * Tighten regex so "[rule] Restore Ban" doesn't become separate "rule] Restore"
author IBBoard <dev@ibboard.co.uk>
date Tue, 12 Feb 2019 21:04:51 +0000
parents 4be7f49debc2
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
66
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
1 ##########################################################################
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
2 # $Id: fail2ban 226 2014-09-09 11:07:27Z stefjakobs $
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
3 ##########################################################################
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
4 # $Log: fail2ban,v $
192
893391e42d94 Update logwatch fail2ban handling for v0.10 log changes
IBBoard <dev@ibboard.co.uk>
parents: 67
diff changeset
5 # Revision 1.5b - IBBoard
893391e42d94 Update logwatch fail2ban handling for v0.10 log changes
IBBoard <dev@ibboard.co.uk>
parents: 67
diff changeset
6 # Patched up to cover fail2ban 0.10
893391e42d94 Update logwatch fail2ban handling for v0.10 log changes
IBBoard <dev@ibboard.co.uk>
parents: 67
diff changeset
7 #
66
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
8 # Revision 1.5a - IBBoard
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
9 # Patched up to what we see on CentOS 6 w/fail2ban-0.9.2
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
10 #
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
11 # Revision 1.5 2008/08/18 16:07:46 mike
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
12 # Patches from Paul Gear <paul at libertysys.com> -mgt
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
13 #
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
14 # Revision 1.4 2008/06/30 23:07:51 kirk
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
15 # fixed copyright holders for files where I know who they should be
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
16 #
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
17 # Revision 1.3 2008/03/24 23:31:26 kirk
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
18 # added copyright/license notice to each script
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
19 #
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
20 # Revision 1.2 2006/12/15 04:53:59 bjorn
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
21 # Additional filtering, by Willi Mann.
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
22 #
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
23 # Revision 1.1 2006/05/30 19:04:26 bjorn
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
24 # Added fail2ban service, written by Yaroslav Halchenko.
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
25 #
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
26 # Written by Yaroslav Halchenko <debian@onerussian.com> for fail2ban
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
27 #
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
28 ##########################################################################
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
29
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
30 ########################################################
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
31 ## Copyright (c) 2008 Yaroslav Halchenko
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
32 ## Covered under the included MIT/X-Consortium License:
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
33 ## http://www.opensource.org/licenses/mit-license.php
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
34 ## All modifications and contributions by other persons to
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
35 ## this script are assumed to have been donated to the
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
36 ## Logwatch project and thus assume the above copyright
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
37 ## and licensing terms. If you want to make contributions
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
38 ## under your own copyright or a different license this
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
39 ## must be explicitly stated in the contribution an the
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
40 ## Logwatch project reserves the right to not accept such
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
41 ## contributions. If you have made significant
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
42 ## contributions to this script and want to claim
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
43 ## copyright please contact logwatch-devel@lists.sourceforge.net.
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
44 #########################################################
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
45
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
46 use strict;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
47 use Logwatch ':all';
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
48
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
49 my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
50 my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
51 my $IgnoreHost = $ENV{'sshd_ignore_host'} || "";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
52 my $DebugCounter = 0;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
53 my $ReInitializations = 0;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
54 my @IptablesErrors = ();
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
55 my @ActionErrors = ();
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
56 my $NotValidIP = 0; # reported invalid IPs number
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
57 my @OtherList = ();
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
58
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
59 my %ServicesBans = ();
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
60
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
61 if ( $Debug >= 5 ) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
62 print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
63 $DebugCounter = 1;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
64 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
65
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
66 while (defined(my $ThisLine = <STDIN>)) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
67 if ( $Debug >= 5 ) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
68 print STDERR "DEBUG($DebugCounter): $ThisLine";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
69 $DebugCounter++;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
70 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
71 chomp($ThisLine);
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
72 if ( ($ThisLine =~ /..,... DEBUG: /) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
73 ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
74 ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
75 ($ThisLine =~ /INFO\s+Log rotation detected for/) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
76 ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller|uses pyinotify)/) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
77 ($ThisLine =~ /INFO\s+Changed logging target to/) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
78 ($ThisLine =~ /INFO\s+Creating new jail/) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
79 ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
80 ($ThisLine =~ /..,... WARNING: Verbose level is /) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
81 ($ThisLine =~ /..,... WARNING: Restoring firewall rules/) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
82 ($ThisLine =~ /WARNING Determined IP using DNS Lookup: [^ ]+ = \['[^']+'\]/) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
83 ($ThisLine =~ /INFO\s+(Stopping all jails|Exiting Fail2ban)/) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
84 ($ThisLine =~ /INFO\s+Initiated 'pyinotify' backend/) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
85 ($ThisLine =~ /INFO\s+(Added logfile = .*|Set maxRetry = \d+|Set findtime = \d+|Set banTime = \d+)/)
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
86 )
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
87 {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
88 if ( $Debug >= 6 ) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
89 print STDERR "DEBUG($DebugCounter): line ignored\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
90 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
91 } elsif ( ($ThisLine =~ /INFO\s+\[[^\]]+\] Found [0-9\.]+/) ) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
92 if ( $Debug >= 6 ) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
93 print STDERR "DEBUG($DebugCounter): line ignored\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
94 }
192
893391e42d94 Update logwatch fail2ban handling for v0.10 log changes
IBBoard <dev@ibboard.co.uk>
parents: 67
diff changeset
95 } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/(?:WARNING|NOTICE):?\s+\[?(.*?)[]:]?\s(?:Restore )?(Ban|Unban)[^\.]* (\S+)/)) {
66
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
96 if ( $Debug >= 6 ) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
97 print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
98 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
99 $ServicesBans{$Service}{$Host}{$Action}++;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
100 $ServicesBans{$Service}{"(all)"}{$Action}++;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
101 } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/INFO: (\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
102 if ($Debug >= 4) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
103 print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
104 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
105 push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
106 } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ ERROR:\s(.*):\s(\S+)\salready in ban list/)) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
107 $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
67
4be7f49debc2 "Already Banned" is actually at NOTICE
IBBoard <dev@ibboard.co.uk>
parents: 66
diff changeset
108 } elsif ( my ($Service,$Host) = ($ThisLine =~ m/(?:INFO|WARNING|NOTICE)\s*\[(.*)\]\s*(\S+)\s*already banned/)) {
66
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
109 $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
110 } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ WARNING:\s(.*):\sReBan (\S+)/)) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
111 $ServicesBans{$Service}{$Host}{'ReBan'}++;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
112 } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
113 push @IptablesErrors, "$ThisLine\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
114 } elsif ($ThisLine =~ /ERROR.*returned \d+$/) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
115 push @ActionErrors, "$ThisLine\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
116 } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
117 ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
118 $ReInitializations++;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
119 } elsif ($ThisLine =~ /..,... WARNING: is not a valid IP address/) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
120 # just ignore - this will be fixed within fail2ban and is harmless warning
192
893391e42d94 Update logwatch fail2ban handling for v0.10 log changes
IBBoard <dev@ibboard.co.uk>
parents: 67
diff changeset
121 } elsif ($ThisLine =~ /Flush ticket\(s\)/) {
893391e42d94 Update logwatch fail2ban handling for v0.10 log changes
IBBoard <dev@ibboard.co.uk>
parents: 67
diff changeset
122 # just ignore - this is fail2ban 0.10 doing a quick shutdown/restart
66
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
123 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
124 else
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
125 {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
126 # Report any unmatched entries...
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
127 push @OtherList, "$ThisLine\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
128 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
129 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
130
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
131 ###########################################################
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
132
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
133
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
134 if (keys %ServicesBans) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
135 printf("\nBanned services with Fail2Ban: Bans:Unbans\n");
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
136 foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
137 printf(" %-55s [%3d:%-3d]\n", "$service:",
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
138 $ServicesBans{$service}{'(all)'}{'Ban'},
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
139 $ServicesBans{$service}{'(all)'}{'Unban'});
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
140 delete $ServicesBans{$service}{'(all)'};
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
141 my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
142 if ($Detail >= 5) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
143 foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
144 my $name = LookupIP($ip);
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
145 printf(" %-53s %3d:%-3d\n",
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
146 $name,
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
147 $ServicesBans{$service}{$ip}{'Ban'},
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
148 $ServicesBans{$service}{$ip}{'Unban'});
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
149 if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
150 print " Failed ";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
151 foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
152 print " $fails";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
153 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
154 print " times";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
155 printf("\n %d Duplicate Ban attempts", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
156 printf("\n %d ReBans due to rules reinitilizations", $ServicesBans{$service}{$ip}{'ReBan'}) ;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
157 print "\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
158 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
159 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
160 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
161 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
162 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
163
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
164
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
165 if ($Detail>0) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
166 if ($#IptablesErrors > 0) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
167 printf("\n%d faulty iptables invocation(s)", $#IptablesErrors);
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
168 if ($Detail > 5) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
169 print ":\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
170 print @IptablesErrors ;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
171 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
172 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
173 if ($#ActionErrors > 0) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
174 printf("\n%d error(s) returned from actions", $#ActionErrors);
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
175 if ($Detail > 5) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
176 print ":\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
177 print @ActionErrors ;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
178 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
179 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
180 if ($ReInitializations > 0) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
181 printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
182 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
183 if ($#OtherList >= 0) {
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
184 print "\n**Unmatched Entries**\n";
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
185 print @OtherList;
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
186 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
187 }
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
188
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
189 exit(0);
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
190
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
191 # vi: shiftwidth=3 tabstop=3 syntax=perl et
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
192 # Local Variables:
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
193 # mode: perl
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
194 # perl-indent-level: 3
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
195 # indent-tabs-mode: nil
e424cd208b99 Update/fix Fail2Ban parsing in Logwatch
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
196 # End: