HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   fail2ban Logs (http://www.howtoforge.com/forums/showthread.php?t=33057)

AdrianSmithUK 30th March 2009 21:36

fail2ban Logs
 
Hi

I have installed fail2ban but I'm having trouble finding the logs that relate to a failed:

1. htaccess login
2. proftp login

I read the apache httpd.conf file and found that the server logs were installed in:

/etc/httpd/logs

I read the error_log file and found that these errors relate to server level errors.

For example hackers trying to find directories such as https://server.net/admin

At the bottom of the apache httpd.conf file is the directive that points to the ISPConfig includes file:

/root/ispconfig/httpd/conf/httpd.conf

Examining this file points to error logs in:

/home/www/web[n]/logs/error.log

These logs contain errors such as failed favicon download attempts etc.

If I pointed fail2ban at any of the error logs I would ban everybody who came to one of my sites.

Is there a set of logs that record every failed password attempt - proftp, apache, ssh ... etc or am I going to have to set them up myself.

The only thing I have found that is close (I am on centos5.2 64bit) is:

/var/log/secure

But this only records SSH password failures.

Any help would be appreciated.

Kind Regards,

Adrian Smith

lano 30th March 2009 22:12

Take a look this tutorial http://www.howtoforge.com/fail2ban_debian_etch

AdrianSmithUK 30th March 2009 23:45

Hi Iano

Thanks for the reply.

I wish it was that simple. I have setup fail2ban and it's running nicely. However, my logs are different to the tutorial and I can't fine the logs that record a failed apache login or a failed proftp login on a per website basis.

Does anybody know where ISPConfig records failed logins?

Kind Regards,

Adrian Smith

falko 31st March 2009 17:16

The error logs are located in /var/www/web1/log, /var/www/web2/log, etc.

AdrianSmithUK 31st March 2009 21:23

Thanks but I think you missed the line above.

I have checked:

/home/www/web[n]/logs/error.log

They do not detect failed htaccess/ftp login attempts.

Should they?

Kind Regards

Adrian

falko 1st April 2009 14:10

Oh, sorry, I must have overread that.

Did you check the overall Apache error log and the auth log in /var/log?

AdrianSmithUK 1st April 2009 17:29

Solution
 
Hi Falco

Many thanks for the help - and sorry - you were right:

I found the solution and I'll document it here for other members with the same problem.

To find where htaccess errors are being recorded:

1. I tried to login to a htaccess protected directory as BillGates

2. After this I searched the whole computer for the string BillGates.

Here is a script that will find the string and pipe it into a text file called "mySearch.txt". It runs as a background job hence the (&) symbol.

Code:

# find / -type f | xargs -n 64 grep BillGates /dev/null >> /home/www/web8/web/mySearch.txt &
3. To check if it has finished or not - type

Code:

# jobs
4. I found - as Falco had said that the htaccess errors were being recorded in:

Code:

/home/www/web[n]/logs
5. Here is a sample from the mySearch.txt log

/home/www/web8/log/error.log:[Wed Apr 01 14:45:56 2009] [error] [client 90.100.39.12] user BillGates not found: /admin
/home/www/web8/log/error.log:[Wed Apr 01 14:45:59 2009] [error] [client 90.100.39.12] user BillGates not found: /admin
/home/www/web8/log/error.log:[Wed Apr 01 14:46:09 2009] [error] [client 90.100.39.12] user BillGates not found: /admin
/home/www/web8/log/error.log:[Wed Apr 01 14:46:12 2009] [error] [client 90.100.39.12] user BillGates not found: /admin



To find where proftp errors are being recorded:

1. I tried to login to an ftp account as RamboBig

2. Again I searched the whole computer for the string RamboBig and piped it into a text file called mySearch1.txt

Code:

find / -type f | xargs -n 64 grep RamboBig /dev/null >> /home/www/web8/web/mySearch1.txt &
3. Again, this is a background job so type the following to see it has finished or not.

Code:

# jobs
4. I found the proftp logs were filed in:

Code:

/var/log/messages
/var/log/secure


5. Here is a sample from the mySearch1.txt log

/var/log/messages:Apr 1 15:56:15 s13398765 proftpd[20565]: s13398765.secureserver.info (host90-100-39-12.ipv4.secureserver.com[90.100.39.12]) - no such user 'RamboBig'
/var/log/messages:Apr 1 15:58:49 s13398765 proftpd[20860]: s13398765.secureserver.info (host90-100-39-12.ipv4.secureserver.com[90.100.39.12]) - no such user 'RamboBig'
/var/log/secure:Apr 1 15:56:15 s13398765 proftpd[20565]: s13398765.secureserver.info (host90-100-39-12.ipv4.secureserver.com[90.100.39.12]) - USER RamboBig: no such user found from host90-152-37-6.ipv4.secureserver.com [90.100.39.12] to 97.100.36.128:21
/var/log/secure:Apr 1 15:58:49 s13398765 proftpd[20860]: s13398765.secureserver.info (host90-100-39-12.ipv4.secureserver.com[90.100.39.12]) - USER RamboBig: no such user found from host90-152-37-6.ipv4.secureserver.com [90.100.39.12] to 97.100.36.128:21

I hope this helps anybody who is treading the same path as me.

Kind Regards,

Adrian Smith

AdrianSmithUK 1st April 2009 18:46

With regard to fail2ban filters.
 
In the example above ISPConfig tags htaccess login failures as:

[error]

I've just looked in my web8/log It also tags harmless PHP faults as:

[error]

In the tutorial I notice that the tag is:

[apache-auth]

Is there a way of changing the [error] tag to show [apache-auth] in ISPConfig.

Kind Regards,

Adrian

falko 2nd April 2009 18:46

This is done by Apache, not ISPConfig. I don't think this can be easily changed. I don't know if this can be done with a simple configuration directive, or if you have to rebuild Apache or even modify the Apache sources before you rebuild.

AdrianSmithUK 7th April 2009 14:07

Incase you have found this post while searching for a solution to a problem with fail2ban - here is my final post and a possible solution.

Falco was correct - After a weeks worth of research I have concluded that it is difficult to customize the apache error log. You can easily customise the apache access log but unfortunatly not the error log.

The good news is that I was barking up the wrong tree.

fail2ban is a log parser and in the:

Code:

/etc/fail2ban/filter.d
folder there are a number of regular expressions that you can modify to suit your logfile.

The answer to my problem was in the file.

Code:

apache-auth.conf
Good luck and I hope this helps.

Kind Regards,

Adrian Smith
London


All times are GMT +2. The time now is 01:02.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.