#!/bin/bash # # Author: Gregg Lain {gregg at mochabomb daht com} # # Version 0.10 Initial release Jan 11, 2008 # # fail2ban-check : check your complete fail2ban configuration # # Usage: fail2ban-check ( no ARGS ) # # Purpose: Test fail2ban as configured in jail.conf and filter.d # recursively for all tests that are "true" and search all # log files until a "Success" is found. I wrote this because # it was a lot of work to test my regex _and_ find a log file # that had good failures to test against - and correctly # configure many servers - you can see here I did not have # dovecot configured correctly. That day I wrote this script. # # # Sample output: startup status, test, regex, logfile, result # # [root@server log]# /usr/local/sbin/fail2ban-check # # ----------- fail2ban setup check --------------------------------------------- # fail2ban 0:off 1:off 2:on 3:on 4:off 5:on 6:off # Fail2ban (pid 848 # 32460) is running... # Status # |- Number of jail: 3 # `- Jail list: dovecot-iptables, vsftpd-iptables, sasl-iptables # # ________________________________________________________________________________ # /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf # dovecot 389 13565 0 03:03 ? 00:00:00 pop3-login # dovecot 844 13565 0 03:20 ? 00:00:00 pop3-login # root 13565 1 0 Jan08 ? 00:00:02 /usr/sbin/dovecot # root 13567 13565 0 Jan08 ? 00:00:01 dovecot-auth # dovecot 13571 13565 0 Jan08 ? 00:00:00 imap-login # dovecot 13572 13565 0 Jan08 ? 00:00:00 imap-login # dovecot 13573 13565 0 Jan08 ? 00:00:00 imap-login # dovecot 32404 13565 0 02:57 ? 00:00:00 pop3-login # Use regex file : /etc/fail2ban/filter.d/dovecot.conf # Use log file : /var/log/secure # /var/log/secure.17 Success, the total number of match is 916 # Test result: Success # # --------------- end sample output ------------------------------------------ # # Props: Thank you Cyril for your project - its help me sleep better. # # Note: It will echo "Success" on the first fail2ban-regex logfile that # it finds, starting for eample with /var/log/secure, then to # secure.1 and so on. If you have _many_ logs such as secure.760 # it will search every one until moving onto the next test. # # Limitation: This is written for fail2ban 0.8 - may modify for other # versions # # Comments, bug reports - welcome to email above # # Temp files for work - use apg or date based - date based is default # apg - clean tmp file names #TESTFILE=/var/tmp/`apg -n 1 -a 0 -m 30` 2> /dev/null #LOGFILE=/var/tmp/`apg -n 1 -a 0 -m 30` 2> /dev/null # # ** Note - if apg is not installed, use these instead (default) TESTFILE=/var/tmp/`date '+%m%d%Ytest%m%H%S'` LOGFILE=/var/tmp/`date '+%m%d%Ylog%m%H%S'` touch ${TESTFILE} touch ${LOGFILE} cat /etc/fail2ban/jail.conf | sed -n -e '/= true/,/logpath/p' | egrep -v -e '^#' > ${TESTFILE} FILTERARRAY=() LOGARRAY=() # Fill the arrays i=0 j=0 AREWEOK="Fail" imax=`cat $TESTFILE | grep filter | wc -l | awk {'print $1'}` for FILTER in `grep filter ${TESTFILE} | sed 's/filter.*=//'`; do FILTERARRAY[$i]=$FILTER i=`expr $i + 1` done for LOGPATH in `grep logpath ${TESTFILE} | sed 's/logpath.*= //'`; do LOGPATHARRAY[$j]=$LOGPATH j=`expr $j + 1` done # echo fail2ban startup status and currently running? echo "" echo "----------- fail2ban setup check ------------------------------------------------------------" chkconfig --list | grep fail2ban /etc/init.d/fail2ban status m=1 n=0 while [ $n -lt $imax ]; do echo ""; echo "________________________________________________________________________________" echo "/usr/bin/fail2ban-regex ${LOGPATHARRAY[n]} /etc/fail2ban/filter.d/${FILTERARRAY[n]}.conf" ps -ef | grep ${FILTERARRAY[n]} | egrep -v grep /usr/bin/fail2ban-regex ${LOGPATHARRAY[n]} /etc/fail2ban/filter.d/${FILTERARRAY[n]}.conf | egrep 'Use|Success' AREWEOKSTRING=`/usr/bin/fail2ban-regex ${LOGPATHARRAY[n]} /etc/fail2ban/filter.d/${FILTERARRAY[n]}.conf | grep 'Success'` AREWEOK=`echo $AREWEOKSTRING | awk {'print $1'} | sed 's/,//'` # check previous logs against the regex as a test... while [ "$AREWEOK" != "Success" ]; do if [ -f ${LOGPATHARRAY[n]}.$m ]; then AREWEOKSTRING=`/usr/bin/fail2ban-regex ${LOGPATHARRAY[n]}.$m /etc/fail2ban/filter.d/${FILTERARRAY[n]}.conf | grep 'Success'` AREWEOK=`echo $AREWEOKSTRING | awk {'print $1'} | sed 's/,//'` LOGTHATHADREGEX="${LOGPATHARRAY[n]}.$m" m=`expr $m + 1` else break fi done echo "$LOGTHATHADREGEX $AREWEOKSTRING" echo "Test result: $AREWEOK" echo "" # Reinit for next round AREWEOKSTRING="___" AREWEOK="FAIL" LOGTHATHADREGEX="___" m=1 n=`expr $n + 1` done # housecleaning rm $TESTFILE rm $LOGFILE # End of script