Fail2stat

Aus codecivil
Version vom 16. Januar 2017, 12:42 Uhr von Codecivil (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „ == The Idea == I will explain how to combine your favorite website statistics software with fail2ban in order to produce statistics for break-in attempts at y…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

The Idea

I will explain how to combine your favorite website statistics software with fail2ban in order to produce statistics for break-in attempts at your server. The idea is simple: let fail2ban convert any ban triggering line in a log file to a web server log file format; let the newly created pseudo webserver log file get examined by your website statistics software. Here I treat the special case of an Apache web servers running with Webalizer.


The converter

Adapt the following script to your needs and save it, executable by the fail2ban user, in /usr/local/bin/fail2stat. #!/bin/bash # fail2stat # makes fail2ban events processable for webalizer # IP="$1" NAME="$2" LOGPATH="$3" YEAR="$(date +%Y)" # get the log lines grep $IP $LOGPATH > /tmp/fail2stat # don't process if they are from an apache log file if [[ "$LOGPATH" == *"apache"* ]]; then cat /tmp/fail2stat >> /var/log/fail2stat.log; rm /tmp/fail2stat; exit 0; fi # processing in the following way is valid for auth.log and mail.log; # adapt if you need differently formatted logs while read MONTH DAY TIME TARGET DAEMON ETC; do # as the year is not part of the log line, we have to take extra care around New Year. MONTH_NUMBER="$(date -d "$MONTH 1, $YEAR" +%m)" if [[ $((MONTH_NUMBER-1)) -ge $(date +%m) ]]; then YEAR=$((YEAR -1)); fi # DAEMON="${DAEMON%%[*}" MSG="${ETC#*: }"; MSG="${MSG%%from *}" MSG="$(echo $MSG | sed 's/ /_/g')" USER="${MSG##*user?}"; USER="${USER%%_*}"; # the numbers 200 and 1024 are arbitrary echo "$IP - $USER [$DAY/$MONTH/$YEAR:$TIME +0000] \"GET /$NAME/$MSG/ HTTP/1.1\" 200 1024 \"-\" \"$TARGET/$DAEMON\"" >> /var/log/fail2stat.log done < /tmp/fail2stat rm /tmp/fail2stat exit 0


fail2ban configuration

jail.local

Append the following lines to /etc/fail2ban/jail.local under [Default] > ACTIONS. First, define the statistics action # statistics action stat = webalizer Append the statistics action at your favorite action shortcut, e.g. create # ban & send & log stats action_mwls = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] %(stat)s[name=%(__name__)s,logpath="%(logpath)s"] and, finally, set the default action to include statistics: action = %(action_mwls)s

action.d/webalizer.conf

Copy a standard configuration file and change the line defining actionban to actionban = /usr/local/bin/fail2stat <ip> <name> <logpath> The complete file might look like this.