Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BR]: systemd-journal - Fail2Ban doesn't see all log records that journalctl does #3682

Closed
bambooCZ opened this issue Feb 25, 2024 · 2 comments
Closed

[BR]: systemd-journal - Fail2Ban doesn't see all log records that journalctl does #3682

bambooCZ opened this issue Feb 25, 2024 · 2 comments
Labels
closed-as-duplicate closed-as-incorrect

Comments

@bambooCZ
Copy link

bambooCZ commented Feb 25, 2024
edited

Hello,

maybe I am stupid, but I have already burned 5hours debugging this. Lets take nginx as example.

fail2ban-regex --print-all-missed --print-all-ignored --print-all-matched --journalmatch='_SYSTEMD_UNIT=nginx.service + _COMM=nginx' systemd-journald nginx-http-auth-journald

Running tests
=============

Use   failregex filter file : nginx-http-auth-journald, basedir: /etc/fail2ban
Use         systemd journal
Use         encoding : UTF-8
Use    journal match : _SYSTEMD_UNIT=nginx.service + _COMM=nginx


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]

|- Missed line(s):
|  2024-02-25T19:10:12.440842+01:00 localhost nginx[10528]: 2024/02/25 19:10:12 [alert] 10528#10528: detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
`-

vs.

journalctl -fu nginx.service

Feb 25 19:10:12 localhost systemd[1]: Starting A high performance web server and a reverse proxy server...
Feb 25 19:10:12 localhost nginx[10528]: 2024/02/25 19:10:12 [alert] 10528#10528: detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Feb 25 19:10:12 localhost systemd[1]: Started A high performance web server and a reverse proxy server.
Feb 25 19:10:21 localhost nginx[10533]: localhost nginx: 37.48.9.235 - - [25/Feb/2024:19:10:21 +0100] "GET / HTTP/1.1" 401 179 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/122.2  Mobile/15E148 Safari/605.1.15"
Feb 25 19:10:26 localhost nginx[10533]: rker process: pam_unix(nginx:auth): check pass; user unknown
Feb 25 19:10:26 localhost nginx[10533]: rker process: pam_unix(nginx:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=37.48.9.235
Feb 25 19:10:29 localhost nginx[10533]: localhost nginx: 37.48.9.235 - \xF0\x9F\x90\xAE\xF0\x9F\x90\xBC\xF0\x9F\x90\xBC [25/Feb/2024:19:10:26 +0100] "GET / HTTP/1.1" 401 179 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/122.2  Mobile/15E148 Safari/605.1.15"
Feb 25 19:10:47 localhost nginx[10533]: rker process: pam_unix(nginx:auth): check pass; user unknown
Feb 25 19:10:47 localhost nginx[10533]: rker process: pam_unix(nginx:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=37.48.9.235
Feb 25 19:10:49 localhost nginx[10533]: 2024/02/25 19:10:47 [error] 10533#10533: *3 PAM: user '🐮🐼🐼' - not authenticated: User not known to the underlying authentication module, client: 37.48.9.235, server: localhost, request: "GET / HTTP/1.1", host: "localhost"
Feb 25 19:10:49 localhost nginx[10533]: localhost nginx: 37.48.9.235 - \xF0\x9F\x90\xAE\xF0\x9F\x90\xBC\xF0\x9F\x90\xBC [25/Feb/2024:19:10:47 +0100] "GET / HTTP/1.1" 401 179 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/122.2  Mobile/15E148 Safari/605.1.15"
Feb 25 19:11:05 localhost nginx[10533]: rker process: pam_unix(nginx:auth): check pass; user unknown
Feb 25 19:11:05 localhost nginx[10533]: rker process: pam_unix(nginx:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=37.48.9.235
Feb 25 19:11:06 localhost nginx[10533]: 2024/02/25 19:11:05 [error] 10533#10533: *4 PAM: user '🐮🐼🐼' - not authenticated: User not known to the underlying authentication module, client: 37.48.9.235, server: localhost, request: "GET / HTTP/1.1", host: "localhost"
Feb 25 19:11:06 localhost nginx[10533]: localhost nginx: 37.48.9.235 - \xF0\x9F\x90\xAE\xF0\x9F\x90\xBC\xF0\x9F\x90\xBC [25/Feb/2024:19:11:05 +0100] "GET / HTTP/1.1" 401 179 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/122.2  Mobile/15E148 Safari/605.1.15"
Feb 25 19:11:06 localhost nginx[10533]: localhost nginx: 37.48.9.235 - - [25/Feb/2024:19:11:06 +0100] "GET / HTTP/1.1" 401 179 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/122.2  Mobile/15E148 Safari/605.1.15"

Configuration details

/etc/nginx/nginx.conf

load_module "/usr/lib/nginx/modules/ngx_http_auth_pam_module.so";

error_log   stderr error;

http {
    default_type  application/octet-stream;
    charset UTF-8;

    access_log syslog:server=unix:/run/systemd/journal/dev-log,facility=local7,tag=nginx,severity=notice combined;

    server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        location / {
            root   /var/nginx/html;

            auth_pam              "Shrek's Web Server";
            auth_pam_service_name "nginx";
        }
    }
}

/usr/lib/systemd/system/nginx.service

[Unit]
Description=A high performance web server and a reverse proxy server
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
PrivateDevices=yes
PrivateTmp=true
SyslogLevel=err

ExecStart=/usr/bin/nginx
ExecReload=/usr/bin/nginx -s reload
Restart=on-failure
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5

[Install]
WantedBy=multi-user.target
@bambooCZ bambooCZ added the bug label Feb 25, 2024
@sebres
Copy link
Contributor

sebres commented Feb 26, 2024

fail2ban-regex --print-all-missed --print-all-ignored --print-all-matched --journalmatch='_SYSTEMD_UNIT=nginx.service + _COMM=nginx' systemd-journald nginx-http-auth-journald

Why systemd-journald (with d at end)? As the man-pages and fail2ban-regex --help says, correct would be systemd-journal (without d).

As for no lines by processing with fail2ban-regex, since #2444 by default journalflags is set to SYSTEM_ONLY(4).

See also #2208 (comment) .

No idea where nginx would write it exactly, but you can try it with:

# local-only:
fail2ban-regex systemd-journal[journalflags=1] nginx-http-auth-journald
# runtime-only:
fail2ban-regex systemd-journal[journalflags=2] nginx-http-auth-journald

and then see which lines it would find in journal (and match the filter).
After all set proper journalflags (or journalpath or journalfiles) to backend in jail:

[nginx-http-auth]
backend = systemd[journalflags=1]

@sebres sebres closed this as completed Feb 26, 2024
@bambooCZ
Copy link
Author

bambooCZ commented Feb 26, 2024
edited

Why systemd-journald (with d at end)? As the man-pages and fail2ban-regex --help says, correct would be systemd-journal (without d).

Probably copy-paste mistake, sorry. The command ran. But thank you for guidance. I will have a look on it. I suspected that there is some attribute which I am missing but I wasn't able to discover it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed-as-duplicate closed-as-incorrect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebres @bambooCZ