| View previous topic :: View next topic |
| Author |
Message |
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
 Posted: Sun Dec 01, 2019 10:10 am Post subject: [solved]'Enable drupal-auth jail in fail2ban |
 |
|
I would like to enable drupal-auth jail in fail2ban. How can I configure drupal to write login messages in a separate logfile? My first attempt was to enable syslog module within drupal, but that spammed my /var/log/messages with very many drupal related messages. Normally drupal logs in a database? If that's true I would like to leave it that way as /var/log/messages already gets pretty spammed by mailserver entries.
Last edited by Elleni on Wed Dec 04, 2019 11:10 pm; edited 1 time in total |
|
| Back to top |
|
 |
msst
Apprentice
Joined: 07 Jun 2011
Posts: 259
|
| Posted: Sun Dec 01, 2019 1:40 pm Post subject: |
|
|
I think fail2ban needs the stuff logged into a file. You could configure drupal to log to someting like /var/log/drupal.log and have fail2ban read this file.
Check also the log level of drupal. You will need only the auth actions to be logged. |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Mon Dec 02, 2019 1:16 am Post subject: |
|
|
Hi msst,
yes exactly - thats why I am trying to find out how to configure drupal correctly to log to a file.
What I found out so far:
If I enable the syslog module in drupal, it logs to syslog-ng thus the drupal messages are written to /var/log/messages. Now I am trying to get them to a separate file /var/log/drupal.log.
Thus I wrote the following two lines in syslog-ng.conf:
| Code: | destination drupal { file("/var/log/drupal.log"); };
log { source(src); destination(drupal); }; |
But now drupal log entries are written to both, /var/log/messages and /var/log/drupal.log
Edit: Tried to replace the above with | Code: | destination local0 { file("/var/log/drupal.log"); };
filter local0 { facility(local0); };
log { source(src); filter(local0); destination(local0); }; |
but same thing, drupal.log is created but entries are still logged in both files, messages and drupal.log.
I am trying to find out:
- How to remove any drupal entries from /var/log/messages to only have them logged once in drupal.log file.
- How to limit drupal entries written in /var/log/drupal.log so that only logon attempts are logged, and not everything drupal related.
Testing with fail2ban-regex /var/log/drupal.log /etc/fail2ban/filter.d/drupal-auth.conf I found out, that the drupal-auth filter being installed with fail2ban does not work, so I changed failregex to an shorter one, found online, as this one works.
| Code: | #failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|<HOST>\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$
failregex = \|user\|<HOST>\|.*\|Login attempt failed (.+)\.$ |
|
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1050
Location: Somewhere in Denmark
|
| Posted: Mon Dec 02, 2019 3:58 pm Post subject: |
|
|
You're correctly filtering for the drupal destination, you also need to filter on the default/other destination, I think something like here: https://www.monitis.com/blog/how-to-filter-logs-with-syslog-ng/
ie. specifying | Code: | | filter anythingelse { not facility(local0); }; |
or something similar. And use that filter on your default log. | Code: | destination default { file("/var/log/messages"); };
filter anythingelse { not facility(local0); };
log { source(src); filter(anythingelse); destination(default); }; |
|
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1291
|
| Posted: Mon Dec 02, 2019 9:47 pm Post subject: |
|
|
freke, you are my hero 
That did the trick. It was destination (messages) instead of (default), but thats a detail.
If we could further filter drupal.log file so only auth messages are logged that would be perfect, but I can live with everything drupal related going in drupal.log. I am too tired now. Will maybe check later, if I find the right filter. |
|
| Back to top |
|
|
|
Networking & Security
