
########################################################
# Please file all bug reports, patches, and feature
# requests under:
#      https://sourceforge.net/p/logwatch/_list/tickets
# Help requests and discusion can be filed under:
#      https://sourceforge.net/p/logwatch/discussion/
########################################################

########################################################
## Copyright (c) 2008  Yaroslav Halchenko
## Covered under the included MIT/X-Consortium License:
##    http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms.  If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions.  If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################

use strict;
use Logwatch ':all';

my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my $IgnoreHost = $ENV{'sshd_ignore_host'} || "";
my $IgnoreFlushing = $ENV{'fail2ban_ignore_flushing'} || "";
my $ErrLen = $ENV{'fail2ban_error_length'} || 80;
my $DebugCounter = 0;
my $ReInitializations = 0;
my @IptablesErrors = ();
my @ActionErrors = ();
my $NotValidIP = 0;             # reported invalid IPs number
my %ErrorList = ();
my %WarningList = ();
my %InfoList = ();
my %NoticeList = ();
my %OtherList = ();
my %Flushing = ();              # keep track of which services being flushed

my %ServicesBans = ();
my %ServicesFound = ();
my %ServicesIgnored = ();

#Init String Containers
my (
$Action,        $Host,      $Message,
$NumFailures,   $Service
);
if ( $Debug >= 5 ) {
    print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n";
    $DebugCounter = 1;
}

while (defined(my $ThisLine = <STDIN>)) {
    if ( $Debug >= 5 ) {
        print STDERR "DEBUG($DebugCounter): $ThisLine";
        $DebugCounter++;
    }
    chomp($ThisLine);
    if ( ($ThisLine =~ /..,... DEBUG: /) or
         ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban
         ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
         ($ThisLine =~ /INFO\s+Log rotation detected for/) or
         ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses )/) or
         ($ThisLine =~ /INFO\s+Changed logging target to/) or
         ($ThisLine =~ /INFO\s+Creating new jail/) or
         ($ThisLine =~ /INFO\s+(Set |Socket|Gamin|Created|Added|Using|Connected to |rollover performed)/) or # syntax of 0.7.? fail2ban
         ($ThisLine =~ /..,... WARNING: Verbose level is /) or
         ($ThisLine =~ /..,... WARNING: Restoring firewall rules/) or
         ($ThisLine =~ /WARNING Determined IP using DNS Lookup/) or
         ($ThisLine =~ /INFO\s+Initiated '.*' backend/) or
         ($ThisLine =~ /INFO\s+(Added logfile = .*|Set maxRetry = \d+|Set findtime = \d+|Set banTime = \d+)/) or
         ($ThisLine =~ /Unable to find a corresponding IP address for .*: \[Errno -2\] Name or service not known/)
       )
    {
        if ( $Debug >= 6 ) {
            print STDERR "DEBUG($DebugCounter): line ignored\n";
        }
    } elsif ( ($Service,$Action,$Host) = ($ThisLine =~ m/NOTICE:?\s+\[?(.*?)[]:]?\s(Restore Ban)[^\.]* (\S+)/)) {
        $ServicesBans{$Service}{$Host}{'ReBan'}++;
        $ServicesBans{$Service}{"(all)"}{'ReBan'}++;
    } elsif ( ($Service,$Action,$Host) = ($ThisLine =~ m/(?:WARNING|NOTICE):?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {
        if ( $Debug >= 6 ) {
            print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
        }
        if (exists $Flushing{$Service}) {
            if ($Action =~ /Unban/) {
                $ServicesBans{$Service}{$Host}{'FlushUnban'}++;
                $ServicesBans{$Service}{"(all)"}{'FlushUnban'}++;
            } elsif ( ! $IgnoreFlushing ) {
                print STDERR "ERROR: Lost track of flushing services\n";
            }
        } else {
            $ServicesBans{$Service}{$Host}{$Action}++;
            $ServicesBans{$Service}{"(all)"}{$Action}++;
        }
    } elsif ( ($Service,$Host,$NumFailures) = ($ThisLine =~ m/INFO: (\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
        if ($Debug >= 4) {
            print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
        }
        push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
    } elsif ( ($Service,$Host) = ($ThisLine =~ m/ ERROR:\s(.*):\s(\S+)\salready in ban list/)) {
        $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
    } elsif ( ($Service,$Host) = ($ThisLine =~ m/(?:INFO|WARNING|NOTICE)\s*\[(.*)\]\s*(\S+)\s*already banned/)) {
        $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
    } elsif ( ($Service,$Host) = ($ThisLine =~ m/ WARNING:\s(.*):\sReBan (\S+)/)) {
        $ServicesBans{$Service}{$Host}{'ReBan'}++;
    } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
        push @IptablesErrors, "$ThisLine\n";
    } elsif ($ThisLine =~ /ERROR.*returned \d+$/) {
        push @ActionErrors, "$ThisLine\n";
    } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or
             ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) {
        $ReInitializations++;
    } elsif ($ThisLine =~ /..,... WARNING:  is not a valid IP address/) {
        # just ignore - this will be fixed within fail2ban and is harmless warning
    } elsif ( ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Found (\S+)/)) {
        $ServicesFound{$Service}{$Host}++;
    } elsif ( ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Ignore (\S+)/)) {
        $ServicesIgnored{$Service}{$Host}++;
    # Generic messages
    } elsif ( ($Message) = ($ThisLine =~ / ERROR (.*)$/)) {
        # Fail2ban can dump huge error messages in its logs
        if ($ErrLen > 3 && length($Message) > $ErrLen) {
            $ErrorList{substr($Message,0,$ErrLen-3).'...'}++;
        } else {
            $ErrorList{$Message}++;
        }
    } elsif ( ($Message) = ($ThisLine =~ / WARNING (.*)$/)) {
        $WarningList{$Message}++;
    } elsif ( ($Message) = ($ThisLine =~ / INFO (.*)$/)) {
        $InfoList{$Message}++;
        if ( ($Service) = ($Message =~ /Jail \'(.*)\' stopped/)) {
            delete $Flushing{$Service};
        }
        if ( ($Service) = ($Message =~ /Stopping all jails|Exiting Fail2ban/)) {
            %Flushing = ();
        }
    } elsif ( ($Message) = ($ThisLine =~ / NOTICE (.*)$/)) {
        $NoticeList{$Message}++;
        if ( ($Service) = ($Message =~ /\[(.*)\] Flush ticket/)) {
            $Flushing{$Service} = 1;
        }
    } else {
        # Report any unmatched entries...
        $OtherList{$ThisLine}++;
    }
}

###########################################################


if (keys %ServicesBans and ($Detail > 0)) {
    printf("\nBanned services with Fail2Ban:                        Bans:Unbans  ReBans:Flush\n");
    foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
        # Perl handles autoincrement of the uninitialized key values,
        # but it can issue a warning when used in a print statement.
        # So we check for existence before printing its value.
        printf("   %-50s [%3d:%-3d]      [%3d:%-3d]\n", "$service:",
               (exists $ServicesBans{$service}{'(all)'}{'Ban'}) ?
                  $ServicesBans{$service}{'(all)'}{'Ban'} : 0,
               (exists $ServicesBans{$service}{'(all)'}{'Unban'}) ?
                  $ServicesBans{$service}{'(all)'}{'Unban'} : 0,
               (exists $ServicesBans{$service}{'(all)'}{'ReBan'}) ?
                  $ServicesBans{$service}{'(all)'}{'ReBan'} : 0,
               (exists $ServicesBans{$service}{'(all)'}{'FlushUnban'}) ?
                  $ServicesBans{$service}{'(all)'}{'FlushUnban'} : 0);
        delete $ServicesBans{$service}{'(all)'};

        my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
        if ($Detail >= 5) {
            foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
                my @name = split(/ /, LookupIP($ip));
                # As explained above, we check for existence of hashes
                # that are autoincremented.
                printf("      %-48s %3d:%-3d        %3d:%-3d\n",
                    $name[0],
                    (exists $ServicesBans{$service}{$ip}{'Ban'}) ?
                        $ServicesBans{$service}{$ip}{'Ban'} : 0,
                    (exists $ServicesBans{$service}{$ip}{'Unban'}) ?
                        $ServicesBans{$service}{$ip}{'Unban'} : 0,
                    (exists $ServicesBans{$service}{$ip}{'ReBan'}) ?
                        $ServicesBans{$service}{$ip}{'ReBan'} : 0,
                    (exists $ServicesBans{$service}{$ip}{'FlushUnban'}) ?
                        $ServicesBans{$service}{$ip}{'FlushUnban'} : 0);
                if (scalar @name > 1) {
                   printf("          %s\n", $name[1]);
                   }
                if (($Detail >= 10) and
                    (exists $ServicesBans{$service}{$ip}{'Failures'}) and
                    ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
                    print "      Failed ";
                    foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
                        print " $fails";
                    }
                    print " times";
}
                if (($Detail >= 10) and
                    (exists $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) and
                    ($ServicesBans{$service}{$ip}{'AlreadyInTheList'}>0)) {
                    printf("         (%d Duplicate Ban attempts)\n",
                        $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
                }
            }
        }
    }
}

if (keys %ServicesFound and $Detail>5) {
    printf("\nFail2Ban hosts found:\n");
    foreach my $service (sort {$a cmp $b} keys %ServicesFound) {
        print("    $service:\n");
        foreach my $ip (sort {$a cmp $b} keys %{$ServicesFound{$service}}) {
            printf("       %-15s (%3d Times)\n", "$ip",
                   $ServicesFound{$service}{$ip});
        }
    }
}

if (keys %ServicesIgnored and $Detail>5) {
    printf("\nFail2Ban hosts ignored:\n");
    foreach my $service (sort {$a cmp $b} keys %ServicesIgnored) {
        print("    $service:\n");
        foreach my $ip (sort {$a cmp $b} keys %{$ServicesIgnored{$service}}) {
            printf("       %-15s (%3d Times)\n", "$ip",
                   $ServicesIgnored{$service}{$ip});
        }
    }
}

if (keys(%ErrorList)) {
    print "\n** ERRORS **\n";
    foreach my $line (sort {$a cmp $b} keys %ErrorList) {
        print "   $line: $ErrorList{$line} Time(s)\n";
    }
}

if (keys(%WarningList)) {
    print "\n** WARNINGS **\n";
    foreach my $line (sort {$a cmp $b} keys %WarningList) {
        print "   $line: $WarningList{$line} Time(s)\n";
    }
}

if (keys(%InfoList) && $Detail>5) {
    print "\nInformational Messages:\n";
    foreach my $line (sort {$a cmp $b} keys %InfoList) {
        print "   $line: $InfoList{$line} Time(s)\n";
    }
}

if (keys(%NoticeList) && $Detail>7) {
    print "\nNotices:\n";
    foreach my $line (sort {$a cmp $b} keys %NoticeList) {
        print "   $line: $NoticeList{$line} Time(s)\n";
    }
}

if ($Detail>0) {
    if ($#IptablesErrors > 0) {
        printf("\n%d faulty iptables invocation(s)", $#IptablesErrors);
        if ($Detail > 5) {
            print ":\n";
            print @IptablesErrors ;
        }
    }
    if ($#ActionErrors > 0) {
        printf("\n%d error(s) returned from actions", $#ActionErrors);
        if ($Detail > 5) {
            print ":\n";
            print @ActionErrors ;
        }
    }
    if ($ReInitializations > 0) {
        printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);
    }
}

if (keys(%OtherList)) {
    print "\n**Unmatched Entries**\n";
    foreach my $line (sort {$a cmp $b} keys %OtherList) {
        print "   $line: $OtherList{$line} Time(s)\n";
    }
}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End:
