- fail2ban 0.9
- mysql
- web server with php (apache with php and mysql library)
database name : myf2b
table name: kci_logipv4
| No | field | datatype |
| 1 | logdate | datetime |
| 2 | logipv4 | int(11) |
| 3 | logmsg | varchar(1000) |
| 4 | kci_category | int(11) |
| 5 | id | (int11) |
| 6 | codecontinent | char(2) |
| 7 | codecontinent2 | char(2) |
| 8 | codecontinent3 | char(3) |
table name: kci_category
| No | field | datatype |
| 1 | id | int(11) |
| 2 | category | varchar(20) |
Note:
- We store IPv4 in long.
- Field with underline is primary key
| id | category |
| 10 | SSH |
| 20 | FTP |
| 30 | HTTP/HTTPS |
| 40 | SMTP/POP/IMAP/POP3/S |
We need a small application to store any log trapped in fail2ban. I use PHP to do that. Here is kci_log.php source code https://github.com/dedetok/fail2ban-to-mysql/blob/gh-pages/kci_log.php
That's all. Now you create a custom action mlocaldb.conf for fail2ban to call kci_log.php. Put mlocaldb.conf in /etc/fail2ban/action.d/, here is mlocaldb.conf https://github.com/dedetok/fail2ban-to-mysql/blob/gh-pages/mlocaldb%2Cconf
Note: You need to change this part 'http://[your_domain]/kci_log.php' >> /home/[user]/logs/curlfail2ban.log
- 'http://[your_domain]/kci_log.php' where kci_log.php reside
- /home/[user]/logs/curlfail2ban.log where the log will be store. You can remove it after you confidence.
...[sshd]port = sshlogpath = %(sshd_log)sbackend = %(sshd_backend)senabled = truefilter = sshdaction = iptables-ipset-proto4[name=sshd] mlocaldb[category=10] abuseipdb[category=4,18,22] ...Note change category with id you inserted into table kci_category. For example 20 for proftpd.
Show it in your web. This is kci_logread.php source code to show the log, feel free to modify it . https://github.com/dedetok/fail2ban-to-mysql/blob/gh-pages/kci_logread.php
See on Github https://github.com/dedetok/fail2ban-to-mysql
No comments:
Post a Comment