Fail2ban failing you?

home | blog | Terrible people and places | Covid-19 links | Teh Internet | guest blog |rants | placeholder | political | projects | Gwen and Liam | Citadel patched | Tools | Scouts



Are you are using central syslog with your fail2ban?
Are you getting some host hits blocked while others are not ( - for ssh attacks)?
There is a patch to fix it (if it is line ending related):
The filter in /etc/fail2ban/filter.d/sshd.conf needs to have \s* added to eat up the extra white space:
https://github.com/fail2ban/fail2ban/commit/25f1e8d98c5a7af353b6d85d91a4b968a8425335
That should eat up the extra white space after the "interesting" bits of the log message.
Thanks Yaroslav Halchenko for that fix!
It would seem that at least Slackware has some extra spaces before the end of the line in a syslog message for sshd auth log messages


Another thing I found while debugging is differences with rsyslog:
Thanks Jeff from kkoncepts.net!
http://www.kkoncepts.net/node/59
Here is the poop (in case the link above goes away: 
If you get duplicated host names in the remote syslog messages, you can define a new rsyslog format and use it for the remote host

In /etc/rsyslogd.conf, add this:
$template sysklogd,"<%PRI%>%TIMESTAMP% %syslogtag%%msg%"

In /etc/rsyslog.d/50-default.conf - change your remote line to use this new format (or rules section of rsyslogd.conf if you put it there):
*.*                             @x.x.x.x;sysklogd

Then restart rsyslog

For the central server (if running rsyslog), edit /etc/rsyslog.conf and uncomment the lines: 

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

- or - for tcp:

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

--- older versions ---
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Then restart rsyslog

Yet another thing to tweak when running central syslog:
Say you have a provider that does not wan't to set up your reverse dns correctly.
You can do it yourself on the syslog host.
Here is how: 
install dnsmasq
add a file with your reverse mappings: (say /etc/dnsmasq-hosts)
x.x.x.x    hostname.domain    hostname
x.x.x.y    hostname2.domain   hostname2

Then add this line to dnsmasq:
addn-hosts=/etc/dnsmasq-hosts

Then add 
nameserver 127.0.0.1

to the top of /etc/resolv.conf to use the dnsmasq resover first - and allow you to get pretty names for hosts.
Allows clean scabbing in of hostnames where you can't get the provider to do the right thing and not dirty up your /etc/hosts.

This helps out epylog logging as well if parsing the hostname without the domain parts.



[æ]