Fail2stat: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „ == The Idea == I will explain how to combine your favorite website statistics software with fail2ban in order to produce statistics for break-in attempts at y…“) |
K |
||
| Zeile 6: | Zeile 6: | ||
== The converter == | == The converter == | ||
Adapt the following script to your needs and save it, executable by the fail2ban user, in <nowiki>/usr/local/bin/fail2stat</nowiki>. | Adapt the following script to your needs and save it, executable by the fail2ban user, in <nowiki>/usr/local/bin/fail2stat</nowiki>. | ||
| − | < | + | <pre> |
#!/bin/bash | #!/bin/bash | ||
# fail2stat | # fail2stat | ||
| Zeile 36: | Zeile 36: | ||
rm /tmp/fail2stat | rm /tmp/fail2stat | ||
exit 0 | exit 0 | ||
| − | </ | + | </pre> |
| Zeile 44: | Zeile 44: | ||
Append the following lines to <nowiki>/etc/fail2ban/jail.local</nowiki> under [Default] > ACTIONS. First, define the statistics action | Append the following lines to <nowiki>/etc/fail2ban/jail.local</nowiki> under [Default] > ACTIONS. First, define the statistics action | ||
| − | < | + | <pre># statistics action |
stat = webalizer | stat = webalizer | ||
| − | </ | + | </pre> |
Append the statistics action at your favorite action shortcut, e.g. create | Append the statistics action at your favorite action shortcut, e.g. create | ||
| − | < | + | <pre># ban & send & log stats |
action_mwls = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | action_mwls = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | ||
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] | %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] | ||
%(stat)s[name=%(__name__)s,logpath="%(logpath)s"] | %(stat)s[name=%(__name__)s,logpath="%(logpath)s"] | ||
| − | </ | + | </pre> |
and, finally, set the default action to include statistics: | and, finally, set the default action to include statistics: | ||
| − | < | + | <pre>action = %(action_mwls)s</pre> |
==== action.d/webalizer.conf ==== | ==== action.d/webalizer.conf ==== | ||
Copy a standard configuration file and change the line defining actionban to | Copy a standard configuration file and change the line defining actionban to | ||
| − | < | + | <pre>actionban = /usr/local/bin/fail2stat <ip> <name> <logpath></pre> |
The complete file might look like this. | The complete file might look like this. | ||
Version vom 16. Januar 2017, 12:51 Uhr
Inhaltsverzeichnis
The Idea
I will explain how to combine your favorite website statistics software with fail2ban in order to produce statistics for break-in attempts at your server. The idea is simple: let fail2ban convert any ban triggering line in a log file to a web server log file format; let the newly created pseudo webserver log file get examined by your website statistics software. Here I treat the special case of an Apache web servers running with Webalizer.
The converter
Adapt the following script to your needs and save it, executable by the fail2ban user, in /usr/local/bin/fail2stat.
#!/bin/bash
# fail2stat
# makes fail2ban events processable for webalizer
#
IP="$1"
NAME="$2"
LOGPATH="$3"
YEAR="$(date +%Y)"
# get the log lines
grep $IP $LOGPATH > /tmp/fail2stat
# don't process if they are from an apache log file
if [[ "$LOGPATH" == *"apache"* ]]; then cat /tmp/fail2stat >> /var/log/fail2stat.log; rm /tmp/fail2stat; exit 0; fi
# processing in the following way is valid for auth.log and mail.log;
# adapt if you need differently formatted logs
while read MONTH DAY TIME TARGET DAEMON ETC;
do
# as the year is not part of the log line, we have to take extra care around New Year.
MONTH_NUMBER="$(date -d "$MONTH 1, $YEAR" +%m)"
if [[ $((MONTH_NUMBER-1)) -ge $(date +%m) ]]; then YEAR=$((YEAR -1)); fi
#
DAEMON="${DAEMON%%[*}"
MSG="${ETC#*: }"; MSG="${MSG%%from *}"
MSG="$(echo $MSG | sed 's/ /_/g')"
USER="${MSG##*user?}"; USER="${USER%%_*}";
# the numbers 200 and 1024 are arbitrary
echo "$IP - $USER [$DAY/$MONTH/$YEAR:$TIME +0000] \"GET /$NAME/$MSG/ HTTP/1.1\" 200 1024 \"-\" \"$TARGET/$DAEMON\"" >> /var/log/fail2stat.log
done < /tmp/fail2stat
rm /tmp/fail2stat
exit 0
fail2ban configuration
jail.local
Append the following lines to /etc/fail2ban/jail.local under [Default] > ACTIONS. First, define the statistics action
# statistics action stat = webalizer
Append the statistics action at your favorite action shortcut, e.g. create
# ban & send & log stats
action_mwls = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
%(stat)s[name=%(__name__)s,logpath="%(logpath)s"]
and, finally, set the default action to include statistics:
action = %(action_mwls)s
action.d/webalizer.conf
Copy a standard configuration file and change the line defining actionban to
actionban = /usr/local/bin/fail2stat <ip> <name> <logpath>
The complete file might look like this.
