Hi Willi,

Sorry for the delay... work work work ;-)

Please get a fresh version
http://www.onerussian.com/Linux/fail2ban/logwatch/fail2ban.logwatch.7x.debian.20060508-1.tgz

I adjusted parsing script to take care about those cases. Now with default
detail level (5) those lines are summarized into:

 --------------------- fail2ban-messages Begin ------------------------ 

 Banned services with Fail2Ban:                          Bans:Unbans
    Exim4:                                                  [  0:1  ]
       60.50.161.218                                           0:1  
    SSH:                                                    [  1:1  ]
       192.168.22.27                                           1:1  
 
 13 faulty iptables invocation(s)
 1 fail2ban rules reinitialization(s) 
 ---------------------- fail2ban-messages End ------------------------- 

On high detail level (>5) we get more information:

 --------------------- fail2ban-messages Begin ------------------------ 

 Banned services with Fail2Ban:                          Bans:Unbans
    Exim4:                                                  [  0:1  ]
       60.50.161.218                                           0:1  
    SSH:                                                    [  1:1  ]
       192.168.22.27                                           1:1  
           Failed  5 7 times
           1 Duplicate Ban attempts
           1 ReBans due to rules reinitilizations
 
 13 faulty iptables invocation(s):
 2006-05-08 14:22:58,554 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
 2006-05-08 14:22:58,555 ERROR: Execution of command 'iptables -L INPUT | grep 
-q fail2ban-SSH' failed
 2006-05-08 14:22:58,683 ERROR: 'iptables -D INPUT -p tcp --dport http -j 
fail2ban-ApacheAttacks
 2006-05-08 14:22:58,731 ERROR: 'iptables -D INPUT -p tcp --dport http -j 
fail2ban-ApacheAttacks
 2006-05-08 14:22:58,778 ERROR: 'iptables -D INPUT -p tcp --dport http -j 
fail2ban-ApacheAttacks
 2006-05-08 14:22:58,824 ERROR: 'iptables -D INPUT -p tcp --dport http -j 
fail2ban-ApacheAttacks
 2006-05-08 14:22:58,918 ERROR: 'iptables -D INPUT -p tcp --dport http -j 
fail2ban-Apache
 2006-05-08 14:22:58,965 ERROR: 'iptables -D INPUT -p tcp --dport http -j 
fail2ban-Apache
 2006-05-08 14:22:59,011 ERROR: 'iptables -D INPUT -p tcp --dport http -j 
fail2ban-Apache
 2006-05-08 14:22:59,059 ERROR: 'iptables -D INPUT -p tcp --dport http -j 
fail2ban-Apache
 2006-05-08 14:22:59,107 ERROR: 'iptables -D INPUT -p tcp --dport http -j 
fail2ban-Apache
 2006-05-08 14:22:59,247 ERROR: 'iptables -D INPUT -p tcp --dport http -j 
fail2ban-ApacheAttacksGB
 2006-05-08 14:22:59,280 ERROR: 'iptables -D fail2ban-SSH -s '192.168.22.27' -j 
DROP' returned 256
 2006-05-08 14:22:59,326 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j 
fail2ban-SSH
 
 1 fail2ban rules reinitialization(s) 
 ---------------------- fail2ban-messages End ------------------------- 

I hope this would be better ;-)

Thank you in advance

On Tue, 02 May 2006, Willi Mann wrote:

> Yaroslav Halchenko schrieb:
> >Hi Willi,
> >Sorry for a slight delay. I reshaped the files a bit (corrected
> >attributions and added licensing statement in both scripts, left config
> >files without explicit licensing statements)
> >I hope they are ok now

> Yes, thanks. Available from

> deb http://pkg-logwatch.alioth.debian.org/apt sid main

> or 
> http://pkg-logwatch.alioth.debian.org/apt/pool/main/l/logwatch/logwatch_7.3-0test2.2_all.deb

> There are some unmatched entries, which should be ignored or reported:

>      5 ERROR: Execution of command 'iptables -L INPUT | grep -q fail2ban-SSH' 
> failed
>       5 ERROR: 'iptables -D fail2ban-SSH -s 'a.b.c.d' -j DROP' returned 256
>       5 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
>       5 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' returned 256
>       5 ERROR: SSH: a.b.c.d already in ban list
>       4 WARNING: #1 reinitialization of firewalls
>       1 WARNING: #2 reinitialization of firewalls
>       5 WARNING:  is not a valid IP address
>       5 WARNING: SSH: ReBan a.b.c.d
> (the first number is the number of occurences when I used range all on one 
> machine.)

> Can you add the code to handle them? I'm not which to ignore and which to 
> handle.

> Willi


-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]


Attachment: pgprBSNWkX0ck.pgp
Description: PGP signature

Reply via email to