Fail2stat: Unterschied zwischen den Versionen

Aus codecivil
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „ == The Idea == I will explain how to combine your favorite website statistics software with fail2ban in order to produce statistics for break-in attempts at y…“)
 
K
Zeile 6: Zeile 6:
 
== The converter ==
 
== The converter ==
 
Adapt the following script to your needs and save it, executable by the fail2ban user, in <nowiki>/usr/local/bin/fail2stat</nowiki>.
 
Adapt the following script to your needs and save it, executable by the fail2ban user, in <nowiki>/usr/local/bin/fail2stat</nowiki>.
<nowiki>
+
<pre>
 
#!/bin/bash
 
#!/bin/bash
 
# fail2stat
 
# fail2stat
Zeile 36: Zeile 36:
 
rm /tmp/fail2stat
 
rm /tmp/fail2stat
 
exit 0
 
exit 0
</nowiki>
+
</pre>
  
  
Zeile 44: Zeile 44:
  
 
Append the following lines to <nowiki>/etc/fail2ban/jail.local</nowiki> under [Default] > ACTIONS. First, define the statistics action
 
Append the following lines to <nowiki>/etc/fail2ban/jail.local</nowiki> under [Default] > ACTIONS. First, define the statistics action
<nowiki># statistics action
+
<pre># statistics action
 
stat = webalizer
 
stat = webalizer
</nowiki>
+
</pre>
 
Append the statistics action at your favorite action shortcut, e.g. create
 
Append the statistics action at your favorite action shortcut, e.g. create
<nowiki># ban & send & log stats
+
<pre># ban & send & log stats
 
action_mwls = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 
action_mwls = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
 
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
 
               %(stat)s[name=%(__name__)s,logpath="%(logpath)s"]
 
               %(stat)s[name=%(__name__)s,logpath="%(logpath)s"]
</nowiki>
+
</pre>
 
and, finally, set the default action to include statistics:
 
and, finally, set the default action to include statistics:
<nowiki>action = %(action_mwls)s</nowiki>
+
<pre>action = %(action_mwls)s</pre>
  
 
==== action.d/webalizer.conf ====
 
==== action.d/webalizer.conf ====
 
Copy a standard configuration file and change the line defining actionban to
 
Copy a standard configuration file and change the line defining actionban to
<nowiki>actionban = /usr/local/bin/fail2stat <ip> <name> <logpath></nowiki>
+
<pre>actionban = /usr/local/bin/fail2stat <ip> <name> <logpath></pre>
 
The complete file might look like this.
 
The complete file might look like this.

Version vom 16. Januar 2017, 12:51 Uhr

The Idea

I will explain how to combine your favorite website statistics software with fail2ban in order to produce statistics for break-in attempts at your server. The idea is simple: let fail2ban convert any ban triggering line in a log file to a web server log file format; let the newly created pseudo webserver log file get examined by your website statistics software. Here I treat the special case of an Apache web servers running with Webalizer.


The converter

Adapt the following script to your needs and save it, executable by the fail2ban user, in /usr/local/bin/fail2stat.

#!/bin/bash
# fail2stat
#       makes fail2ban events processable for webalizer
#
IP="$1"
NAME="$2"
LOGPATH="$3"
YEAR="$(date +%Y)"
# get the log lines
grep $IP $LOGPATH > /tmp/fail2stat
# don't process if they are from an apache log file
if [[ "$LOGPATH" == *"apache"* ]]; then cat /tmp/fail2stat >> /var/log/fail2stat.log; rm /tmp/fail2stat; exit 0; fi
# processing in the following way is valid for auth.log and mail.log; 
# adapt if you need differently formatted logs
while read MONTH DAY TIME TARGET DAEMON ETC;
        do
                # as the year is not part of the log line, we have to take extra care around New Year.
                MONTH_NUMBER="$(date -d "$MONTH 1, $YEAR" +%m)"
                if [[ $((MONTH_NUMBER-1)) -ge $(date +%m) ]]; then YEAR=$((YEAR -1)); fi
                #
                DAEMON="${DAEMON%%[*}"
                MSG="${ETC#*: }"; MSG="${MSG%%from *}"
                MSG="$(echo $MSG | sed 's/ /_/g')"
                USER="${MSG##*user?}"; USER="${USER%%_*}";
                # the numbers 200 and 1024 are arbitrary
                echo "$IP - $USER [$DAY/$MONTH/$YEAR:$TIME +0000] \"GET /$NAME/$MSG/ HTTP/1.1\" 200 1024 \"-\" \"$TARGET/$DAEMON\"" >> /var/log/fail2stat.log
        done < /tmp/fail2stat
rm /tmp/fail2stat
exit 0


fail2ban configuration

jail.local

Append the following lines to /etc/fail2ban/jail.local under [Default] > ACTIONS. First, define the statistics action

# statistics action
stat = webalizer

Append the statistics action at your favorite action shortcut, e.g. create

# ban & send & log stats
action_mwls = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
               %(stat)s[name=%(__name__)s,logpath="%(logpath)s"]

and, finally, set the default action to include statistics:

action = %(action_mwls)s

action.d/webalizer.conf

Copy a standard configuration file and change the line defining actionban to

actionban = /usr/local/bin/fail2stat <ip> <name> <logpath>

The complete file might look like this.