New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail2ban Integration via syslog #6
Comments
Hi Gary, Thanks for this idea and taking the time to read everything. How did you find out about SentryPeer? I have actually mentioned this in the README:
Also, there is a transport_type which is currently UDP, but TCP and TLS coming. Yesterday I added a Make sense? Gavin. |
Everything? Not even close.
It stuck in my mind (and browser bar) for a week before I installed it. I think I saw it mentioned on the NANOG email list. NANOG usually has good ideas.
Yes, but not near the top.
Yes, but no responsive to my issue. :-) Looking at your code, I think I can submit some small patches to make this happen now. Attached is part 1 of 2 to add syslog()ing. You may want a getopt() to toggle syslog() on and off. |
Ignore that. vsyslog() should be syslog(). gilhub fighting me about uploading the fix... |
Part 2 of 2. That is all fail2ban needs. But I'm guessing this needs a getopt(). |
Small change to diff2.txt. the message has \n it, so: I'll let the logs build up a bit, then write a fail2ban rule. |
Thanks for all this @garyemiller I think I'll add this feature if that's OK as I need to update the docs, readme, man pages and tests etc. If you are using just syslog, would you need the data saved in sqlite at all? I was thinking:
|
Hi Gary,
I don't think we should log parsing command line options to syslog.
Thanks.
|
Hi Gary,
Do we want to log a complete SIP message to syslog?
Thanks.
|
Hi Gary,
Where are we closing syslog?
Have you ever done a Pull Request before on GitHub?
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request
I'd be tempted to do something like this:
https://github.com/owntracks/recorder/blob/fd3f4631f16da09706eb1cde84a65322a24c31cb/util.c#L282
and add some tests etc. I'm also going to look at switching to getopt_long
so we can toggle all these features with better options.
Thanks.
|
Yeah, a simple upgrade is never simple.
Maybe, maybe not. I have not looked at the sqlite part yet. So smart to make them options and let the users decide.
Not parsing, failure to parse. Some expect all errors to go into the logs. And it makes it easier for you to debug for others: just ask for the entire log. Complication is that the error may be before the user enables logging, if he enables logging. But, your code, your choice.
I did not add that. as the man page says: "The use of closelog() is optional." Can't hurt.
That one is hard. syslog messages are one line, but SIP messages have \n in them. You would have to strip the \n, or change it to "\n" to fit on one line. fail2ban just needs the date (added by syslog), the offending IP, and maybe a snippet of what is being logged.
Nope. I looked at the doc and it looks way more complicated than on GitLab. And GitLab merges mess up a lot. So I prefer just sending git diffs.
I'm a fan of getopt_long(), but it is not portable. They are GNU only. So you need to test for it, and fall back to getopt() if the local libc is not GNU. |
:-)
Agreed. I could see this running just in that type of agent/probe mode, also when I add other transport types.
True. Also if this is running in systemd or some other way where cli args are passed other ways or via ENV.
syslog() works without openlog() too. I'll read up on that.
Yeah, I'll leave it out until someone asks for it.
:-)
I'm searching to see where it's not portable to and I wonder if that's a use case we need to worry about. Lastly @garyemiller Thank you very much again for sharing your thoughts, ideas and trying SentryPeer out. |
Yes, but then you are stuck with defaults.
That will not take long. Then you'll know their use case.
There are a lot of POSIX compatible systems, that are not GNU. Now your code would work find on *BSD, osX, OpenWRT, maybe even WSL. They do not use glibc (GNU libc) Smaller systems reject glibc as too big. Mandating glibc will flush them out for you. The experience will not be pleasant.
I'm just scrathing my own itch! :-). |
Ah, true.
Agreed.
I look forward to the demand!
Me too 👍 |
@garyemiller Could you upload a sample jail.conf etc. for sentrypeer once I add it? |
Creating that file is on my TODO list for the next few days. I'm already logging hack attempts to have something to test my new rule against. |
Cool. What is SentryPeer running on? |
This is on my Gentoo Stable firewall. Console (ssh) only. No desktop, no X. It does have nginx, but I have not configured your web tool yet. |
Awesome!
|
…honeypot data - Added build requirement for libmicrohttpd and jansson - Added syslog support for use with [Fail2Ban](https://www.fail2ban.org/wiki/index.php/Main_Page) as per #6
@garyemiller Please try main branch. Thanks. |
Looks good. Gentoo package name differ from yours, so messages like this do me little good:
Gentoo calls those: net-libs/libmicrohttpd, dev-libs/jansson Package names change fast, and vary from distro to distro. Hard to keep up. Compiled and running fine. I'm getting messages like this:
Might be nice to log those for fail2ban as well. Now I need some hackers to generate some more logs for me. I might have used a slightly different coding style. Instead of:
This:
Fewer function calls. Note GitHub messes up the indents... And instead of this:
This:
The messages can not get out of sync that way |
I'm testing this now: filter.d/sentrypeer.conf:
And in my jail.conf:
As root, this is a simple way to check your failregex can find sentrypeer in the log file:
Still testing, so there may be more tweaks. |
Thanks. I'll await your testing feedback. |
That's all the latest changes pushed. SIP that has failed to parse has just the source IP logged via syslog too. Let me know how you get on. I've had to make some changes to autotools to find libmicrohttpd on the GitHub Action ubuntu-lastest runners as I've installed it via Homebrew as it's too old via apt. I think I'll revert them actually as they don't seem right. Thanks. |
Hi Gary, How's your jail conf testing going? I've added a few things too: https://github.com/SentryPeer/SentryPeer/blob/main/CHANGELOG.md#unreleased Thanks. |
Not well. "fail2ban-regex " was working, but when I try against the conf file, "fail2ban-regex sentrypeer" it does not: Also not working live. After beating my head against the wall, I got pulled onto another bug. Sleeping on it usually helps me when I hit a wall like that. Gonna be something simple and stupid. |
Thanks for the update. No rush. Just wanted to check in with you. Gavin. |
Morning Gary, Tried v1? Thanks. |
I am new to SentryPeer, but not to honeypots, firewalls etc.
My favorite tools are netfilter and fail2ban. I would like SentryPeer to work easily with fail2ban. That should be simple. Just syslog() the attackes, let syslog add the date stamp.
A typical one line log might look like:
With that I can write a fail2ban rule, block them, and report them, automagically.
The text was updated successfully, but these errors were encountered: