Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: DSHIELD with fail2ban SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DSHIELD with fail2ban
Trying to get fail2ban properly configured to send DSHIELD reports. I am able to send them, but they aren't showing as coming from my registered email address so therefor aren't listed on my account. Looking at the little bit of help I can find this is what I should have in the dshield.local file:

[Init]
myip = <IP masked>
userid = <ID masked>
mailcmd= mail -s
mailargs = -- -f <email address masked>

This is a CentOS6 system, using fail2ban v0.8.7.

Any help would be appreciated. Thanks
Ernest

1 Posts
Did you ever get this to work?

What is your mailer?

The "-- -f email_address" is for sendmail.

I'm using Postfix and found reports were being sent as root. I resorted to using smtp_generic_maps in Postfix to re-write the sending email address from root@somewhere to the email address I have registered with dshield.

I'm now getting submission confirmation emails from dshield like this:

Authorized Userid: <removed>
Format: DSHIELD
Timezone: +00:00

Lines in file: 10
Lines rejected: none
Unique lines written to database: 1
identical lines are added up on import.

Lines written to database (up to 10):
<removed>


Thanks a lot for your input

NOTE: This message indicates that your log submission was parsed. The
data will be imported into the database shortly.

Subject: FORMAT DSHIELD USERID <removed> TZ +00:00 FAIL2BAN
From: <removed>
PGP: NO



However, I'm not seeing anything reported in "My Reports".

What might I still be doing wrong?
DavidJames

2 Posts
I just want to say that it is quite possible that neither of you are doing anything wrong at all and that the problem is on our end.

I will look into this.
Alex Stanford

136 Posts
Quoting DavidJames:Did you ever get this to work?

What is your mailer?

The "-- -f email_address" is for sendmail.

I'm using Postfix and found reports were being sent as root. I resorted to using smtp_generic_maps in Postfix to re-write the sending email address from root@somewhere to the email address I have registered with dshield.

I'm now getting submission confirmation emails from dshield like this:

Authorized Userid: <removed>
Format: DSHIELD
Timezone: +00:00

Lines in file: 10
Lines rejected: none
Unique lines written to database: 1
identical lines are added up on import.

Lines written to database (up to 10):
<removed>


Thanks a lot for your input

NOTE: This message indicates that your log submission was parsed. The
data will be imported into the database shortly.

Subject: FORMAT DSHIELD USERID <removed> TZ +00:00 FAIL2BAN
From: <removed>
PGP: NO



However, I'm not seeing anything reported in "My Reports".

What might I still be doing wrong?

I was able to locate a bug with the myreports.html page in regards to the table at the bottom of the page which outputs your reports. As you will now see we did indeed receive the reports you have sent, despite the fact that they did not display there.

Let us know if you continue to have issues.
Alex Stanford

136 Posts
Quoting Alex Stanford:
Quoting DavidJames:However, I'm not seeing anything reported in "My Reports".

What might I still be doing wrong?

I was able to locate a bug with the myreports.html page in regards to the table at the bottom of the page which outputs your reports. As you will now see we did indeed receive the reports you have sent, despite the fact that they did not display there.

Let us know if you continue to have issues.


Excellent, thank you. I now see 9 lines from a report earlier today.

I'll see what happens when another report gets sent.
DavidJames

2 Posts

Sign Up for Free or Log In to start participating in the conversation!