Fail2ban: save your log into mysql and show it

Required:

• fail2ban 0.9
• mysql
• web server with php (apache with php and mysql library)

Create user and its database in mysql. Give all privilege to its database for its user. You can use any existing database, here is only sample of database structures:
database name : myf2b
table name: kci_logipv4

No	field	datatype
1	logdate	datetime
2	logipv4	int(11)
3	logmsg	varchar(1000)
4	kci_category	int(11)
5	id	(int11)
6	codecontinent	char(2)
7	codecontinent2	char(2)
8	codecontinent3	char(3)

table name: kci_category

No	field	datatype
1	id	int(11)
2	category	varchar(20)

Note:

1. We store IPv4 in long.
2. Field with underline is primary key 

Table kci_logipv4 will be used to store any log from trapped in fail2ban, and table kci_category will be used to categorize all log in type of attack. Populate kci_category with your wish, this is my category for example: 

id	category
10	SSH
20	FTP
30	HTTP/HTTPS
40	SMTP/POP/IMAP/POP3/S

We need a small application to store any log trapped in fail2ban. I use PHP to do that. Here is kci_log.php source code https://github.com/dedetok/fail2ban-to-mysql/blob/gh-pages/kci_log.php
That's all. Now you create a custom action mlocaldb.conf for fail2ban to call kci_log.php. Put mlocaldb.conf in /etc/fail2ban/action.d/, here is mlocaldb.conf https://github.com/dedetok/fail2ban-to-mysql/blob/gh-pages/mlocaldb%2Cconf
Note: You need to change this part 'http://[your_domain]/kci_log.php' >> /home/[user]/logs/curlfail2ban.log

• 'http://[your_domain]/kci_log.php' where kci_log.php reside
• /home/[user]/logs/curlfail2ban.log where the log will be store. You can remove it after you confidence.

The final step, edit your /etc/fail2ban/jail.conf and add a line to use mlocaldb at the end of action, for example:
...
[sshd]

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[name=sshd]
        mlocaldb[category=10]
        abuseipdb[category=4,18,22] 
...
Note change category with id you inserted into table kci_category. For example 20 for proftpd.
Show it in your web. This is kci_logread.php source code to show the log, feel free to modify it . https://github.com/dedetok/fail2ban-to-mysql/blob/gh-pages/kci_logread.php

See on Github https://github.com/dedetok/fail2ban-to-mysql

Running java class from CLI in Debian

Prerequisite:

To set Java Environment for all users, add/edit /etc/environment:

JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"
CLASSPATH=".:/usr/share/java/mysql.jar:/usr/share/java/postgresql-jdbc4.jar"

I have a java class BlockedSSH.class. It required mysql.jar library. To run BlockedSSH.class from CLI and including all java library on runtime environment, use option -classpath:

$ /usr/bin/java -classpath $CLASSPATH:/root/java/ BlockedSSH

Java will find any java library that already added in /etc/environment. To check classpath

$ set | grep CLASSPATH
CLASSPATH=.:/usr/share/java/mysql.jar:/usr/share/java/postgresql-jdbc4.jar

JDK 8: executing command from java

To execute system/external command we need to use Process class. There are 2 ways to get this instance: 

1. Using static method Runtime.getRuntime()
2. Using ProcessBuilder

This is the example code to call ping or whois under Debian TestShell.java:

import java.util.Map;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.IOException;
import java.io.BufferedReader;
/*
Ref:
http://docs.oracle.com/javase/8/docs/api/java/lang/ProcessBuilder.html
http://www.javatips.net/blog/java-processbuilder-exampl
http://www.mkyong.com/java/how-to-execute-shell-command-from-java/

*/
class TestShell {
  public static void main(String[] args) {
    System.out.println("Creating ProcessBuilder Object");
    //ProcessBuilder pb = new ProcessBuilder("whois", "garasiku.web.id");
    ProcessBuilder pb = new ProcessBuilder("ping", "www.garasiku.web.id", "-c", "4");
    Map<String, String> env = pb.environment();
    System.out.println("size env: "+env.size());
    //Java 8 only, forEach and Lambda
    env.forEach((k,v)->System.out.println("Key : " + k + " Value : " + v));
    try {
      //Process p = Runtime.getRuntime().exec("ping www.garasiku.web.id -c 4");
      Process p = pb.start();
      System.out.println("dump standard output");
      InputStreamReader isr = new InputStreamReader(p.getInputStream());
      BufferedReader br = new BufferedReader(isr);
      String tmp="";
      while ((tmp = br.readLine()) != null) {
        System.out.println(tmp);
      }
      System.out.println("dump standard error");
      isr = new InputStreamReader(p.getInputStream());
      br = new BufferedReader(isr);
      tmp="";
      while ((tmp = br.readLine()) != null) {
        System.out.println(tmp);
      }
      // waitFor() method is used to wait till the process returns the exit value
      try {
        int exitValue = p.waitFor();
        System.out.println("Exit Value is " + exitValue);
      } catch (InterruptedException e) {
        e.printStackTrace();
      }
    } catch (IOException e) {
      System.out.println(e.toString());
    }  
  }
}

References:

• http://docs.oracle.com/javase/8/docs/api/java/lang/ProcessBuilder.html
• http://www.javatips.net/blog/java-processbuilder-example
• http://www.mkyong.com/java/how-to-execute-shell-command-from-java/