Bug#646460: fail2ban: fails to monitorize some files, i.e. /var/log/mail.log

Mon, 24 Oct 2011 04:40:20 -0700 

Package: fail2ban
Version: 0.8.4-3
Severity: normal

fail2ban fails to monitorize some files to find bad logins.
It was unable to find bad squirrelmail login atempts from /var/log/mail.log but 
just changing the jail logpath option from /var/log/mail.log to /var/log/syslog 
makes it work.

access rights for both files are identical:
www:~# ls -l /var/log/syslog /var/log/mail.log
-rw-r----- 1 root adm   20691 oct 24 13:04 /var/log/mail.log
-rw-r----- 1 root adm 4039078 oct 24 13:08 /var/log/syslog

and fail2ban names seems to understand both names:
www:~# tail -n 1000  /var/log/fail2ban.log | grep logfile  
2011-10-24 12:07:52,471 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log
2011-10-24 12:07:52,728 fail2ban.filter : INFO   Added logfile = 
/var/log/mail.log
2011-10-24 12:41:11,795 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log
2011-10-24 12:41:12,042 fail2ban.filter : INFO   Added logfile = /var/log/syslog
2011-10-24 12:50:16,020 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log

Thanks,



-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages fail2ban depends on:
ii  lsb-base                3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  python                  2.6.6-3+squeeze6 interactive high-level object-orie
ii  python-central          0.6.16+nmu1      register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.8-3    administration tools for packet fi
ii  whois                         5.0.10     an intelligent whois client

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20100314cvs-1 simple mail user agent
pn  python-gamin       <none>                (no description available)

-- Configuration Files:
/etc/fail2ban.conf changed:
[DEFAULT]
background = true
verbose = 1
debug = false
logtargets = /var/log/fail2ban.log
syslog-target = /dev/log
syslog-facility = 1
pidlock = /var/run/fail2ban.pid
maxfailures = 5
bantime = 600
findtime = 600
ignoreip = 
cmdstart = 
cmdend = 
polltime = 1
reinittime = 10
maxreinits = 1000
protocol = tcp
fwchain = INPUT
fwstart = iptables -N fail2ban-%(__name__)s
          iptables -A fail2ban-%(__name__)s -j RETURN
          iptables -I %(fwchain)s -p %(protocol)s --dport %(port)s -j 
fail2ban-%(__name__)s
fwend = iptables -D %(fwchain)s -p %(protocol)s --dport %(port)s -j 
fail2ban-%(__name__)s
        iptables -F fail2ban-%(__name__)s
        iptables -X fail2ban-%(__name__)s
fwcheck = iptables -L %(fwchain)s | grep -q fail2ban-%(__name__)s
fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP
fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP
[MAIL]
enabled = true
host = localhost
port = 25
user = 
password = 
from = fail2ban@www
to = root@localhost
localtime = true
subject = [Fail2Ban] <section>: Banned <ip>
message = Hi,<br>
          The IP <ip> has just been banned by Fail2Ban after
          <failures> attempts against <section>.<br>
          Regards,<br>
          Fail2Ban
[SASL]
enabled = false
port = smtp
logfile = /var/log/mail.log
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = : warning: [-._\w]+\[(?P<host>[.\d]+)\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
[Apache]
enabled = false
logfile = /var/log/apache/error.log
port = http
timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not 
found)
[ApacheAttacks]
enabled = false
logfile = /var/log/apache/access.log
port = http
maxfailures = 2
timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}
timepattern = %%d/%%b/%%Y:%%H:%%M:%%S
failregex = ^(?P<host>\S*) -.*"GET 
.*(?:awstats\.pl\?configdir=|index2\.php\?_REQUEST\[option\].*)\|echo.*
[VSFTPD]
enabled = false
logfile = /var/log/vsftpd.log
port = ftp
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$
[PROFTPD]
enabled = false
logfile = /var/log/proftpd/proftpd.log
port = ftp
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = USER \S+: no such user found from \S* ?\[(?P<host>\S+)\] to \S+\s*$
[SSH]
enabled = true
logfile = /var/log/auth.log
port = ssh
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: 
[iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) 
.*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)


-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to