Fail2ban config
Replies (4)
RE: Fail2ban config
-
Added by Josu Lazkano almost 9 years ago
Hello,
You should provide a login log line as example to regex it.
I use fail2ban for other services, it will be great to add tvheadend.
Kind regards.
RE: Fail2ban config
-
Added by E DD almost 9 years ago
I couldn't find the log, but I started tvheadend from the command line and tried to log in. I got the following message:2017-03-22 11:15:42.792 [ ERROR] http: 192.168.1.2: HTTP/1.1 GET /login -- 401
so something like
failregex = .*ERROR.* http: <HOST>: HTTP/1.1 GET /login -- 401
I don't have https setup so I don't know how those error messages would look, but this is a start.
Anyone know where the log is stored?
Edit: The failregex seems to work:
$ fail2ban-regex '2017-03-22 11:15:42.792 [ ERROR] http: 192.168.1.2: HTTP/1.1 GET /login -- 401' '.*ERROR.* http: <HOST>: HTTP/1.1 GET /login -- 401' Running tests ============= Use failregex line : .*ERROR.* http: <HOST>: HTTP/1.1 GET /login -- 401 Use single line : 2017-03-22 11:15:42.792 [ ERROR] http: 192.168.1.2... Results ======= Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] .*ERROR.* http: <HOST>: HTTP/1.1 GET /login -- 401 `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] Year-Month-Day Hour:Minute:Second `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed
RE: Fail2ban config
-
Added by Josu Lazkano almost 9 years ago
Hello,
You need to store the tvheadend logs in a file.
You could try to configure rsyslog.
Regards.
RE: Fail2ban config
-
Added by E DD almost 9 years ago
I don't think rsyslog is what I'm looking for. I configured TVHeadend to log to a file like this:
mkdir -p /var/log/tvheadend
chmod -R 755 /var/log/tvheadend
chown -R hts /var/log/tvheadend
TVHEADEND_ERROR_LOG_LOC=/var/log/tvheadend/error.log
# modify the startup script so that it will log errors
sed -i "s~^TVH_ARGS=\"~TVH_ARGS=\"-l ${TVHEADEND_ERROR_LOG_LOC} ~" /etc/default/tvheadend
systemctl daemon-reload
service tvheadend restart
and it works, however I would like to set the loglevel somehow. As far as I know this is unsupported.
I set up the jail like this:
PORT_TVHEADEND=9981
TVHEADEND_FAILREGEX=".*ERROR.* http: <HOST>: HTTP/1.1 GET /login -- 401"
# Create the TVHeadend-filter for fail2ban
#nano /etc/fail2ban/filter.d/tvheadend.conf
cat > /etc/fail2ban/filter.d/tvheadend.conf <<EOF
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = tvheadend
failregex = ${TVHEADEND_FAILREGEX}
ignoreregex =
EOF
#nano /etc/fail2ban/jail.d/tvheadend.conf
cat > /etc/fail2ban/jail.d/tvheadend.conf <<EOF
[tvheadend]
enabled = true
port = $PORT_TVHEADEND
filter = tvheadend
action = iptables[name=tvheadend, port=$PORT_TVHEADEND, protocol=tcp]
logpath = $TVHEADEND_ERROR_LOG_LOC
maxretry = 5
EOF
service fail2ban restart
fail2ban-client status tvheadend
It seems the failregex is not correct:
failregex = .*ERROR.* http: <HOST>: HTTP/1.1 GET /login -- 401
Anyone here who knows their regexes?