+3
Under review

Fail2Ban

Richard 8 years ago updated by crocobc 4 years ago 9

Would someone mind to share his Fail2Ban configuration (filter.d + jail.local entry)


kind regard

Richard

Hi,


I initially asked Tom for the customization of ubooquity logs format, so as to make it easier to build Fail2ban filter...

You have to follow those instructions to adapt their format: http://vaemendis.net/ubooquity/?static11/log-format-customization


I did it in the past, it was working fine. Then my hard drive crashed, & I did not reworked on this after...

So viewing your post I wanted to re-initiate this.


Unfortunately the ubooquity does not seem to take into account the customized format anymore.


Tom,


With latest ubooquity version, log-config.xml adapted as specified in your above page, and modifying my init script as below, logs format remains unchanged, as if the command line was not being considered:


nohup java -Dlogback.configurationFile=/etc/ubooquity/log-config.xml -jar /etc/ubooquity/Ubooquity.jar $MEM_OPT -port $UBOOQUITY_PORT $ADMIN_MODE $GUI_STATE /etc/ubooquity/ 2>&1 &


Could you please advise if the command line is still valid? Has-it changed? Is the feature still supported by ubooquity?


Thanks


boah... I just found a mitigation: despite the absolute path, it works if I put the log-config.xml in my execdir (i.e. from where the jar is launched, not where the jar is stored).


Tom, is-it expected??

Under review

No, it's not expected (at least if I understood correctly the Logback documentation).

But I retested the whole procedure and got the same behavior that you had.


So I don't know exactly why the file needs to be in the working directory, but I'll update the Ubooquity documentation accordingly.

Thanks for the info.


By the way, the doc has been put on Github, so the new link to the procedure is:

https://vaemendis.github.io/ubooquity-doc/pages/tutorials/log-customization.html



Hi Matthieu,

Thanks for your replay - I changed the log-format according to the post mentioned, would you like to share your fail2ban filter and jail enty?


kind regards

richard

+1

Hi Richard,


As I said, I lost them. I have to rebuild them. May be next week-end if I find the time...


Cheers

Mat

This would probably be worth making sticky once resolved. Basically everyone should use this or something like this.

I just created filter for fail2ban. If someone is interested, but it's still not working. No idea why.

\d{8}\s\d{2}:\d{2}:\d{2}\s\[(.*?)\]\s\I(.*?)w\D{2}\s\bAccess denied\b.\s\[(.*?)]\D{4}<HOST>\D{1}

Ok, 
I changed xml template to log date stamp in different time format. Right now logs looks like:

[Pn maj 20 08:38:35 2019] [INFO ][qtp31646855-32] com.ubooquity.d.c - User unknown. Access denied. [login:sdf][ip:192.168.0.199]

My regex is : 

^\[(.*?)\]\s\[(.*?)\]\[(.*?)\]\D{35}\bAccess denied\b\D{17}<HOST>\D{1}

but it's not working. Any idea why ?
dietpi@DietPi:~$ fail2ban-regex error.log /etc/fail2ban/filter.d/ubouquity.conf

Running tests
=============

Use failregex filter file : ubouquity, basedir: /etc/fail2ban
Use log file : error.log
Use encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
| ^\[(.*?)\]\s\[(.*?)\]\[(.*?)\]\D{35}\bAccess denied\b\D{17}<HOST>\D{1}
`-

+3

Hi there,

Sorry to dig up this thread after 2 years but maybe usefull for others :)

5min default configuration (can certainly be better but it's working...)

jail.d/ubooquity.conf

[ubooquity]
enabled=true
port=2202
logpath = /opt/Ubooquity/logs/ubooquity.log
filter = ubooquity
banaction=iptables-allports

filter.d/ubooquity.conf

[Definition]

failregex = ^.* - User unknown. Access denied. .*:<HOST>.*$
datepattern = %%Y%%m%%d %%H:%%M:%%S

Thanks for Ubooquity it's kind of awesome !

Regards