view common/logwatch/services-fail2ban @ 228:af2d486077a2 puppet-3.6

Blacklist two media players, ghost, webmaster and others
author IBBoard <dev@ibboard.co.uk>
date Sat, 09 Nov 2019 20:00:36 +0000
parents 893391e42d94
children
line wrap: on
line source

##########################################################################
# $Id: fail2ban 226 2014-09-09 11:07:27Z stefjakobs $
##########################################################################
# $Log: fail2ban,v $
# Revision 1.5b - IBBoard
# Patched up to cover fail2ban 0.10
#
# Revision 1.5a - IBBoard
# Patched up to what we see on CentOS 6 w/fail2ban-0.9.2
#
# Revision 1.5  2008/08/18 16:07:46  mike
# Patches from Paul Gear <paul at libertysys.com> -mgt
#
# Revision 1.4  2008/06/30 23:07:51  kirk
# fixed copyright holders for files where I know who they should be
#
# Revision 1.3  2008/03/24 23:31:26  kirk
# added copyright/license notice to each script
#
# Revision 1.2  2006/12/15 04:53:59  bjorn
# Additional filtering, by Willi Mann.
#
# Revision 1.1  2006/05/30 19:04:26  bjorn
# Added fail2ban service, written by Yaroslav Halchenko.
#
# Written by Yaroslav Halchenko <debian@onerussian.com> for fail2ban
#
##########################################################################

########################################################
## Copyright (c) 2008  Yaroslav Halchenko
## Covered under the included MIT/X-Consortium License:
##    http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms.  If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions.  If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################

use strict;
use Logwatch ':all';

my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my $IgnoreHost = $ENV{'sshd_ignore_host'} || "";
my $DebugCounter = 0;
my $ReInitializations = 0;
my @IptablesErrors = ();
my @ActionErrors = ();
my $NotValidIP = 0;		# reported invalid IPs number
my @OtherList = ();

my %ServicesBans = ();

if ( $Debug >= 5 ) {
	print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n";
	$DebugCounter = 1;
}

while (defined(my $ThisLine = <STDIN>)) {
    if ( $Debug >= 5 ) {
	print STDERR "DEBUG($DebugCounter): $ThisLine";
	$DebugCounter++;
    }
    chomp($ThisLine);
    if ( ($ThisLine =~ /..,... DEBUG: /) or
	 ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban
	 ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
	 ($ThisLine =~ /INFO\s+Log rotation detected for/) or
	 ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller|uses pyinotify)/) or
	 ($ThisLine =~ /INFO\s+Changed logging target to/) or
	 ($ThisLine =~ /INFO\s+Creating new jail/) or
	 ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban
	 ($ThisLine =~ /..,... WARNING: Verbose level is /) or
	 ($ThisLine =~ /..,... WARNING: Restoring firewall rules/) or
	 ($ThisLine =~ /WARNING Determined IP using DNS Lookup: [^ ]+ = \['[^']+'\]/) or
	 ($ThisLine =~ /INFO\s+(Stopping all jails|Exiting Fail2ban)/) or
	 ($ThisLine =~ /INFO\s+Initiated 'pyinotify' backend/) or
	 ($ThisLine =~ /INFO\s+(Added logfile = .*|Set maxRetry = \d+|Set findtime = \d+|Set banTime = \d+)/)
       )
    {
	if ( $Debug >= 6 ) {
	    print STDERR "DEBUG($DebugCounter): line ignored\n";
	}
    } elsif ( ($ThisLine =~ /INFO\s+\[[^\]]+\] Found [0-9\.]+/) ) {
	if ( $Debug >= 6 ) {
	    print STDERR "DEBUG($DebugCounter): line ignored\n";
	}
    } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/(?:WARNING|NOTICE):?\s+\[?(.*?)[]:]?\s(?:Restore )?(Ban|Unban)[^\.]* (\S+)/)) {
	if ( $Debug >= 6 ) {
	    print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
	}
	$ServicesBans{$Service}{$Host}{$Action}++;
	$ServicesBans{$Service}{"(all)"}{$Action}++;
    } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/INFO: (\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
	if ($Debug >= 4) {
	    print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
	}
	push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ ERROR:\s(.*):\s(\S+)\salready in ban list/)) {
   	 $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/(?:INFO|WARNING|NOTICE)\s*\[(.*)\]\s*(\S+)\s*already banned/)) {
       $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ WARNING:\s(.*):\sReBan (\S+)/)) {
	    $ServicesBans{$Service}{$Host}{'ReBan'}++;
    } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
	    push @IptablesErrors, "$ThisLine\n";
    } elsif ($ThisLine =~ /ERROR.*returned \d+$/) {
       push @ActionErrors, "$ThisLine\n";
    } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or
	    ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) {
	    $ReInitializations++;
    } elsif ($ThisLine =~ /..,... WARNING:  is not a valid IP address/) {
	# just ignore - this will be fixed within fail2ban and is harmless warning
    } elsif ($ThisLine =~ /Flush ticket\(s\)/) {
        # just ignore - this is fail2ban 0.10 doing a quick shutdown/restart
    }
    else
    {
	# Report any unmatched entries...
	push @OtherList, "$ThisLine\n";
    }
}

###########################################################


if (keys %ServicesBans) {
    printf("\nBanned services with Fail2Ban:				 Bans:Unbans\n");
    foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
	printf("   %-55s [%3d:%-3d]\n", "$service:",
	       $ServicesBans{$service}{'(all)'}{'Ban'},
	       $ServicesBans{$service}{'(all)'}{'Unban'});
	delete $ServicesBans{$service}{'(all)'};
	my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
	if ($Detail >= 5) {
	    foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
		   my $name = LookupIP($ip);
		   printf("      %-53s %3d:%-3d\n",
		       $name,
		       $ServicesBans{$service}{$ip}{'Ban'},
		       $ServicesBans{$service}{$ip}{'Unban'});
		   if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
		      print "	   Failed ";
		      foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
			      print " $fails";
		      }
		    print " times";
		    printf("\n	   %d Duplicate Ban attempts", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
		    printf("\n	   %d ReBans due to rules reinitilizations", $ServicesBans{$service}{$ip}{'ReBan'}) ;
		    print "\n";
		   }
	    }
	   }
    }
}


if ($Detail>0) {
    if ($#IptablesErrors > 0) {
	   printf("\n%d faulty iptables invocation(s)", $#IptablesErrors);
	   if ($Detail > 5) {
	    print ":\n";
	    print @IptablesErrors ;
	   }
    }
    if ($#ActionErrors > 0) {
       printf("\n%d error(s) returned from actions", $#ActionErrors);
       if ($Detail > 5) {
           print ":\n";
           print @ActionErrors ;
       }
    }
    if ($ReInitializations > 0) {
	   printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);
    }
    if ($#OtherList >= 0) {
	   print "\n**Unmatched Entries**\n";
	   print @OtherList;
    }
}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End: