Results 1 to 9 of 9

Thread: Fail2Ban and database

  1. #1
    Join Date
    May 2012
    Beans
    304

    Fail2Ban and database

    Hello everybody,

    Is there a way that if fail2ban banned an IP address I can insert that one into MySQL database??

    Thx in advance

  2. #2

    Re: Fail2Ban and database

    Are you looking to have some software do it for you, or looking for a green light to write such code, or procedure?
    It is definitely do-able, but would require you parsing /etc/hosts.deny and once the IP is found stick that in an "insert" statement so mysql will accept it.

    csv file import is possible, if you further parse /etc/hosts.deny and then doing a data import using the .csv file as the source.
    the interval would also have to be programmed (how will it 'run'?), and I'd suggest a cron job for that schedule.

    HTH.


  3. #3
    Join Date
    May 2012
    Beans
    304

    Re: Fail2Ban and database

    I think we can read the log file, I checked the iptables:

    Code:
    # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1213
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1215
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:webmin
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9091
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51413
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1213
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9091
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51413
    
    Chain fail2ban-ssh (1 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere
    eventhough I tried to connect to SSH with wrong information, I was not banned, are the information above correct??

    in my fail2ban log, I found this line:

    Code:
    2013-07-08 14:12:50,045 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
    iptables -F fail2ban-ssh

  4. #4

    Re: Fail2Ban and database

    Quote Originally Posted by alfirdaous View Post
    eventhough I tried to connect to SSH with wrong information, I was not banned
    How many times did you try wrong information?


  5. #5
    Join Date
    May 2012
    Beans
    304

    Re: Fail2Ban and database

    more than 6 times

  6. #6

    Re: Fail2Ban and database

    then I'd check the settings in /etc/fail2ban/jail.conf
    paying particular attention to entries like

    Code:
    ignoreip = 127.0.0.1
    bantime  = 600
    maxretry = 3
    if you tried it from the same host as where it is installed, then an "ignoreip = 127.0.0.1" setting would account for that behavior.
    Also check logtarget using
    Code:
    grep -i logtarget /etc/fail2ban/fail2ban.conf
    and report the output here.
    I am not sure what /var/log/* file fail2ban logs to on Ubuntu, sorry.

    Please let us know...


  7. #7
    Join Date
    May 2012
    Beans
    304

    Re: Fail2Ban and database

    I tried from different host

  8. #8

    Re: Fail2Ban and database

    check the settings in /etc/fail2ban/jail.conf and

    /etc/fail2ban/fail2ban.conf


  9. #9
    Join Date
    May 2012
    Beans
    304

    Re: Fail2Ban and database

    I renamed jail.conf to jail.conf.local, I tried with error 404:

    Code:
    [apache-404]
    enabled = true
    port = http
    filter = apache-404
    logpath = /var/log/apache*/error*.log
    maxretry = 3
    and this the file apache-404:

    Code:
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    #
    # $Revision: 471 $
    #
    [Definition]
    # Option: failregex
    # Notes.: regex to match the password failure messages in the logfile. The
    # host must be matched by a group named "host". The tag "" can
    # be used for standard IP/hostname matching.
    # Values: TEXT
    # [client x.x.x.x] File does not exist: /home/www/admin/admin,
    failregex = [[]client []] File does not exist: .*
    #
    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •