-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFE]: Log file line pre-processing #2992
Comments
FWIW, just few comments from my side:
{^CIDR(24)}^\s*\S+ haproxy\[\d+\]: <ADDR>:\d+ ...
|
I just did some preliminary tests by adding a quick and dirty
in
|
Hmm... No idea where your iptables rules coming from (also chain name is |
JFYI, I tweaked my old fail2ban directly in
so now I can use (hijack) the
and finally had to tweak
to be able to pass a custom Best would have been to add a separate jail config option instead of hijacking (the obscure) Both of the tweaks above easily implement a simple devops requirement (monitor, count access and ban whole subnets) that is very effective in countering attacks and I stand baffled that these options are not built-in provided that fail2ban is not a new project already. |
This is not correct approach, just because you're banning 192.0.2.0 in banmanager (so it can also ban every other IP from this subnet), but 192.0.2.0/32 in banning action... what can potentially cause several issues (starting from multiple banning tickets for the same subnet in banmanager queues and ending with different ID in ticket and action). How it would be correct I wrote in comment above (use new tags in failregex, so after rewrite it capturing subnet instead of IP). |
Why do you think so? Notice the jail config The
The rewrite is not targeted at the iptables action but exactly at the banmanager so that that the whole 192.0.2.x/24 subnet is reduced to a single 192.0.2.0 address in banmanager so that failiures from all IPs from that subnet count towards a single ban limit. This on one hand prevents getting mutliple bans for 192.0.2.0/24 in iptables and on second counts failiures more correctly when the DDoS comes from consequtive IPs in posession of the atackers. Edit: I'm really glad to deliver feedback from the fields to the project developers. My case above is a real-life example of what is actually a badly needed feature from fail2ban for actual devops, namely 1. count whole subnets as one entry in banmanager and 2. ban whole subnets in iptables -- as simple as that :-)) |
Because I know how it works :) Your ticket ID is
Nothing is reduced.... you just used
Again in banmanager it is not a subnet, but single IP only (with all related issues). |
I'm configuring this on
Btw, I'm not "implementing" anything here or this would have been a PR not a RFE. I'm just sharing experience with everyone who happen to be in my position and would have to implement similar tweaks for one reason or another. Whether devs would consider adding log files preprocessing (about 5-10 LOC total) is up to you to decide but I happen to notice it's currently missing and would come handy for solving those large class of problems -- the so called unknown unknowns, the kind of problems you might have never seen in production yet. |
Sure as for for 0.9. |
10x I'll have to research these then. |
@sebres Hi!
I was wondering if your branch with regex options got merged. Can |
Sorry, but not yet (#3007) - unfortunately I have persistently no time to fulfill that. Alternatively I could try to rebase #1161 (at least the part with subnetmask (default CIDR of jail)). |
Feature request type
Ability to pre-process input log file before hitting filters classes with a simple find and replace regex.
Description
The idea is for instance this log line
to be able to get converted to this line
with a simple
(\d+\.\d+\.\d+)\.\d+
->$1.0/24
regex, so that<HOST>
infailregex
can match194.61.55.0/24
instead of the original single IP194.61.55.218
and so to count failures and later ban the whole subnet.Considered alternatives
Chaining an external tool to do the pre-processing but I'm not sure how to do this.
Any additional information
If this is already possible it is not obvious to me reading the docs and sources.
I'm aware how to tweak iptables actions to add
/24
cidr but in this case fail2ban keeps account of individual IPs in the jail so each IP addressx.y.z.1
andx.y.z.2
gets a separate fail count instead of combined one which allows evading detection when scanning/DDoS'ing from compromised subnets.The text was updated successfully, but these errors were encountered: