Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setting a custom date pattern #1278

Closed
Noexpert opened this issue Dec 21, 2015 · 1 comment
Closed

Setting a custom date pattern #1278

Noexpert opened this issue Dec 21, 2015 · 1 comment

Comments

@Noexpert
Copy link

Hi,

I'm trying to stop a stream of DNS DDOS attacks.

Firstly, I added a time and date to my BIND log.
So in /etc/named.conf, I added print-time yes;

logging {
    channel default_debug {
            file "data/named.run";
            severity dynamic;
            print-time yes;
    };

In /var/named/data/named.run, this adds 21-Dec-2015 21:35:22.843 in front of entries, such as client 82.118.233.142#4444: query (cache) 'cpsc.gov/ANY/IN' denied

Now, I've added the following to my /etc/fail2ban/jail.local:

[named-refused-udp]
enabled   = true
port      = domain,953
protocol  = udp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath  = /var/named/data/named.run
datepattern = %d-%b-%Y %H:%M:%S.%N 

[named-refused-tcp]
enabled   = true
port      = domain,953
protocol  = tcp
filter    = named-refused
action    = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath  = /var/named/data/named.run
datepattern = %d-%b-%Y %H:%M:%S.%N

However, I think my datepattern format is wrong, because in /var/log/logwatch.log I can see:

2015-12-21 22:09:41,417 fail2ban.filter         [22545]: WARNING Found a match for u"client 82.118.233.142#4444: query (cache) 'cpsc.gov/ANY/IN' denied" but no valid date/time found for u"client 82.118.233.142#4444: query (cache) 'cpsc.gov/ANY/IN' denied". Please try setting a custom date pattern (see man page jail.conf(5)). If format is complex, please file a detailed issue on https://github.com/fail2ban/fail2ban/issues in order to get support for this format.

and

2015-12-21 22:09:41,425 fail2ban.filter         [22545]: ERROR   findFailure failed to parse timeText: 21-Dec-2015 20:21:11.437 z

Can someone please help?

Thanks

@sebres
Copy link
Contributor

sebres commented Dec 22, 2015

Your fail2ban version?

Because this format should be a standard format (at least since v.0.9), so just remove (or comment with #) lines with datepattern.

If I correct understood the output of fail2ban-regex for your date format, in v.0.9 will be used this one (see below the whole output):

datepattern = %d(?P<_sep>[-/])%b(?P=_sep)%Y[ :]?%H:%M:%S(?:\.%f)?(?: %z)?

Or little bit simplified for exact that you have:

datepattern = %d-%b-%Y %H:%M:%S.%f

You can any time test your own format using:

fail2ban-regex -d "%d-%b-%Y %H:%M:%S.%f" <LOG> <FILTER>

Example v.0.9.3 with standard dateformats:

$ fail2ban-regex "21-Dec-2015 21:35:22.843 client 1.2.3.4#40278 (example.com): query (cache) 'example.com/A/IN' denied" ./config/filter.d/named-refused.conf
/usr/bin/python | (2, 7, '2.7.6 (default, Jun 22 2015, 17:58:13) \n[GCC 4.8.2]')

Running tests
=============

Use   failregex filter file : named-refused, basedir: ./config
Use      single line : 21-Dec-2015 21:35:22.843 client 1.2.3.4#40278 (exa...


Results
=======

Failregex: 1 total
...
Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]
$ fail2ban-regex -d "%d-%b-%Y %H:%M:%S.%f" "21-Dec-2015 21:35:22.843 client 1.2.3.4#40278 (example.com): query (cache) 'example.com/A/IN' denied" ./config/filter.d/named-refused.conf
/usr/bin/python | (2, 7, '2.7.6 (default, Jun 22 2015, 17:58:13) \n[GCC 4.8.2]')

Running tests
=============

Use      datepattern : Day-MON-Year 24hour:Minute:Second.Microseconds
Use   failregex filter file : named-refused, basedir: ./config
Use      single line : 21-Dec-2015 21:35:22.843 client 1.2.3.4#40278 (exa...


Results
=======

Failregex: 1 total
...
Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Day-MON-Year 24hour:Minute:Second.Microseconds
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

@sebres sebres closed this as completed Dec 22, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants