-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fail2ban.datedetector gives wrong year by date-times, that are logged within invalid time-zone #2149
Comments
Just confirmed that reconfiguring the machine back
triggered all jails and banned correctly. |
Well, this looks like pretty good example for the TZ-issue. Just see the dates, you've got in logs:
The year is not present there (date-pattern without explicit year). We've already several duplicates like this #1959, #1804 (comment) etc. Thus closed as incorrect. |
BTW. Very good possibility to check TZ-issue without debugging: $ date
Wed Jun 6 14:05:58 CEST 2018
-$ str='Jun 6 13:11:51 srv sshd[6610]: Failed password for root from 1.2.3.4 port 58593 ssh2'
+$ str='Jun 6 23:11:51 srv sshd[6610]: Failed password for root from 1.2.3.4 port 58593 ssh2'
$ fail2ban-regex -v "$str" sshd | grep 1.2.3.4
-| 1.2.3.4 Wed Jun 06 13:11:51 2018
+| 1.2.3.4 Tue Jun 06 23:11:51 2017 |
Thanks for the feedback and help! Gonna try this and integrate it to the small setup script to make sure that does not happen again. Sadly ubuntu (or even debian) defaults to the datetime without year it seems for auth.log / syslog, might as well change that as a precaution. |
You're welcome. |
Yeah, gotta put some more thoughts into it, because its roots are in the setup. I get minimal server, use ansible to correct any misconfigurations, restart services and so on, but that never leads to an actual restart so the tz problem escalates down to fail2ban. Gonna make the reboot mandatory. Just tried it again in a small vm and it worked after a reboot, and failed without one. |
Is rather a problem of rsyslog (or other logger that your services use). For example like rsyslog/rsyslog#424
I'm pretty sure it would be possibe without reboot. |
Environment:
Fail2Ban v0.10.2
[x] Fail2Ban installed via OS/distribution mechanisms
[x] You have not applied any additional foreign patches to the codebase
[x] Some customizations were done to the configuration (provide details below is so)
The issue:
Nothing gets banned.
I did a preliminary check with
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
and got the resultLines: 16964 lines, 0 ignored, 9022 matched, 7942 missed
which seemed fine for me. Still nothing got banned, did not find anyhting in DEBUG mode, so I switched to HEAVYDEBUG mode.The following entries catched my eye:
So the line got ignored because it is the wrong year I guess? The difference between the timestamps is exactly 31528800 which is a year. Not sure why the template converts "Jun 6 12:57:29" to 2017 instead of today.
The machine is configured to
Steps to reproduce
Maybe use the same timezone and set a matching log entry to the same date as given above? Only have this machine for tests sadly.
Expected behavior
Should ban.
Observed behavior
Did not ban.
Any additional information
Here is are some matching lines from my regex comparison:
I remember that the machine blocked entries while NOT being configured to UTC, it remember it working yesterday when the machine was still on Europe/Berlin, but since the
dpkg-reconfigure tzdata
to Etc/UTC it stopped working I think.Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
The text was updated successfully, but these errors were encountered: