mirror of https://github.com/fail2ban/fail2ban
fix _groupsre not matching escape sequences
It was moved to `nextcloud-common.conf`pull/3581/head
parent
456b570a91
commit
04e8b0ac04
|
@ -5,12 +5,8 @@
|
|||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes
|
||||
before = common.conf
|
||||
before = nextcloud-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud
|
||||
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
|
||||
failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
|
||||
datepattern = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
|
||||
failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
# Fail2Ban common filter file for Nextcloud
|
||||
#
|
||||
# Author: Sergey G. Brester (sebres)
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
# Read common prefixes
|
||||
before = common.conf
|
||||
|
||||
[DEFAULT]
|
||||
logging = all
|
||||
|
||||
# logging prefixes
|
||||
# all - universal prefix (logfile, syslog)
|
||||
# logfile - logfile only
|
||||
# syslog - syslog only
|
||||
# Use `filter = nextcloud-auth[logging=logfile]` to get more precise regex if nextcloud logs into logfile.
|
||||
# Use `filter = nextcloud-auth[logging=syslog]` to get more precise regex if nextcloud logs into syslog.
|
||||
nextcloud-prefix-logfile =
|
||||
nextcloud-prefix-syslog = %(__prefix_line)s
|
||||
nextcloud-prefix-all = (?:%(nextcloud-prefix-syslog)s|%(nextcloud-prefix-logfile)s)
|
||||
|
||||
nextcloud-prefix = <nextcloud-prefix-<logging>>
|
||||
|
||||
# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud
|
||||
_groupsre = (?:(?:,?\s*"\w+":(?:"(?:[^"\\]|\\.)*"|\w+))*)
|
||||
|
||||
datepattern = ^%(nextcloud-prefix)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
|
|
@ -6,12 +6,8 @@
|
|||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes
|
||||
before = common.conf
|
||||
before = nextcloud-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud
|
||||
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
|
||||
failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
|
||||
datepattern = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
|
||||
failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
|
||||
|
|
|
@ -8,4 +8,7 @@
|
|||
# failJSON: { "time": "2023-09-24T23:00:01.0", "match": true , "host": "141.30.226.119" }
|
||||
{"reqId":"esevuyJw30I5QzJD46Yc","level":2,"time":"2023-09-24T21:00:01+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: Injection (Remote IP: 127.0.0.1) (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
|
||||
# failJSON: { "time": "2023-09-24T23:05:16.0", "match": true , "host": "141.30.226.119" }
|
||||
{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
|
||||
{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
|
||||
# hypothetical output based on how quotation marks are quoted
|
||||
# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" }
|
||||
{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login\"\\","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
|
|
@ -4,4 +4,7 @@
|
|||
# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" }
|
||||
{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T21:36:46+00:00","version":"27.1.0.7","data":{"app":"core"}}
|
||||
# failJSON: { "time": "2023-09-24T23:48:47.0", "match": true , "host": "141.30.226.119" }
|
||||
{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}}
|
||||
{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}}
|
||||
# hypothetical output based on how quotation marks are quoted
|
||||
# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" }
|
||||
{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/login\"\\","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}}
|
Loading…
Reference in New Issue