Join Log in
Score:0
avatar Server

Use value of from fail2ban regex

es flag
Hynek Bernard

I am trying to send e-mail to me and user that someone tried to login to their ssh and failed - the IP got banned. But I don't understand how can I use the variable in the e-mail I am trying to send.

Sendmail is set up correctly as the e-mails are being sent without problem.

Here is my jail.local config

[sshd]
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action  = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines-ssh[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

And here is my action.d/sendmail-whois-lines-ssh.conf

[INCLUDES]

before = sendmail-common.conf
         helpers-common.conf

[Definition]

norestored = 1
actionban = ( printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>, <F-USER>@mydomain.cz\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here is more information about <ip> :\n
            `/usr/bin/whois <ip> || echo missing whois program`\n\n
            Lines containing failures of <ip>\n";
            %(_grep_logs)s;
            printf %%b "\n
            Regards,\n
            Fail2Ban" ) | /usr/sbin/sendmail -f <sender>.mydomain.cz <dest> <F-USER>@mydomain.cz

[Init]
name = default
logpath = /dev/null

The e-mail sent to me is fine, because is taken correctly from configuration, but <F-USER> has no value so it is being sent to @mydomain.cz

How can I get the value so I am able to send the e-mail to user ?

EDIT The regex getting hit on SSH is this one:

^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
141
0 + 0
ssh
es flag
Hynek Bernard
That does not matter in this context, actually the <F-USER> is empty so if the e-mail is not being sent either way
0
Reply
Score:1
sebres avatar Server
il flag
sebres

I am trying to send e-mail to me and user that someone tried to login to their ssh and failed

I have few doubts related to this approach, for instance by certain "vulnerability" possibly introduced thereby - RE <F-USER>\S*</F-USER> would match anything up to first space, so for example if matched "username" will be [email protected],test your mail will be also sent to [email protected], which may be not the user of your domain. I could also imagine another scenarios since you're trying to use foreign input (from log) in the mail action - so better ensure this is not affected by some injection possibility (also note GHSA-m985-3f3v-cwmm for example).

The regex getting hit on SSH is this one ...

The failregex must also contain <F-USER>...</F-USER> in order to capture the value that will be stored as user name and it must match something.

Here is an example how it looks in current version (note it is not a failure RE due to <F-NOFAIL> tag, it's just a helper to find IP for messages without IP, see issues/3189#issuecomment-999571654 for details).

Thereby <F-ALT_USER> is an alternative user name and will store it to F-USER captured group in ticket, if part <F-USER>...</F-USER> would match empty value.

Maybe (like in issues/3189 above) you also have wrong backend, so switching to systemd would help you to match it using another sshd-regex.

Related to your regexp, it can be changed like here (back-ported from current sshd-filter):

- ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
+ ^pam_unix\(sshd:auth\):\s+authentication failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?%(__suff)s$

But this is rather a RE of pam-generic filter/jail, as already said in issues/3189, so it's not quite correct to use this for sshd jail (normally you'd see different messages in journal or auth.log).

Anyway to investigate deeper one needs the message example (or better the log-excerpt with all messages of sshd-session that caused ban).

0 + 0
es flag
Hynek Bernard
Thank you very much for your exhaustive answer !
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.