Open ghost opened 6 years ago
sebres
commented
6 years ago Is it something like:
fail2ban-regex --out-action 'my-action[prm1="val1",...]' $log $filterOr:
fail2ban-regex --out-tags $log $filterCould you provide an example, just for better understanding, what do you mean with supply a function. E. g. something like the command-line you wish.
ghost
commented
6 years ago yes... your suggestion is quite insightful. For me, simple tags which is predefined in action.d could be okay. (specify tag or composite action on shell command line could be quite uncertain since it is bash-ish syntax. we need POSIX-like stuffs. e.g, "xyz", $'\n', blah blah)
Correct me if I am wrong here!
fail2ban-regex --out-action $log $filter $action_conf_file
sebres
commented
6 years ago Although it would be relative easy to implement for some script-actions (but no way for pythonic actions).
Just some tags are depended on the init-arguments specified in jail.conf resp. distribution-related config-files, etc.
The problem thereby - fail2ban-regex should consider all this (exactly the same manner as fail2ban-server, but it is not the server).
we need POSIX-like stuffs
The problem here - you'll then see the pre-substituted scripts only (with interpolated tags), but they are not executed in shell (because otherwise some complex scripts may cause ban or send mail, etc). Thus the potential wrong shell syntax (like bashism's, invalid command syntax, etc) will be still not recognized.
fail2ban-regex --out-action $log $filter $action_conf_file
Exactly this syntax will be impossible, because it conflicts with 3rd optional argument, which is currently ignore-pattern (it could work as in my example above).
ghost
commented
6 years ago I see... those run-time dependency (or Python-script dependency) tag cannot be decided/finalized by fail2ban-regex moment without truly code execution. In that case, we make requirement simpler, as your suggestion, we specify action (or tag) via shell command parameters, and/or dump tags mentioned in filter config file, which is supplied via shell command as well.
Again, correct me if I am thinking wrong.
sebres
commented
4 years ago Latest version (since d1b7e2b5fb2b389d04845369d7d29db65425dcf2) partially implementing this RFE, so fail2ban-regex is able to dump the tags matched from log/journal.
Examples:
$ fail2ban-regex -r -o row './fail2ban/tests/files/testcase01.log' sshd
[u'failed.dns.ch', 1577789999.0, {'dns': u'failed.dns.ch', 'users': set([u'kevin']), 'ip6': None, 'user': u'kevin', 'ip4': None, 'mlfid': u' [sshd] '}],
...
['87.142.124.10', 1577789999.0, {'dns': None, 'users': set([u'kevin']), 'ip6': None, 'user': u'kevin', 'ip4': u'87.142.124.10', 'mlfid': u' [sshd] '}],
$ fail2ban-regex -r -o id './fail2ban/tests/files/testcase01.log' sshd | uniq -c
3 failed.dns.ch
3 193.168.0.128
4 87.142.124.10
$ fail2ban-regex -r -o user './fail2ban/tests/files/testcase01.log' sshd | uniq
kevin
This facilities will be released with 0.10.5 (and 0.11).
sebres
commented
2 years ago https://github.com/fail2ban/fail2ban/issues/2909#issuecomment-1039267423 illustrates some PoC extending fail2ban-regex with a command option.
This may be a dumb requirement (not yet know if there is alternative way to fulfill). But if fail2ban-regex can supply a function to output the possible action to take, that can be quite helpful to understand the final outcome of complicate Python string interpolation of fail2ban tags...