github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

fix _groupsre not matching escape sequences 

It was moved to `nextcloud-common.conf`
pull/3581/head
Eric Wolf 2024-01-20 18:45:51 +01:00
parent 456b570a91
commit 04e8b0ac04
No known key found for this signature in database
GPG Key ID: 80D2DA428A4A537F
5 changed files with 40 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
config/filter.d/nextcloud-auth.conf
View File

@ -5,12 +5,8 @@
[INCLUDES]
# Read common prefixes
before = common.conf
before = nextcloud-common.conf
[Definition]
# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
datepattern = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:

28
config/filter.d/nextcloud-common.conf Normal file
View File

@ -0,0 +1,28 @@
# Fail2Ban common filter file for Nextcloud
#
# Author: Sergey G. Brester (sebres)
#
[INCLUDES]
# Read common prefixes
before = common.conf
[DEFAULT]
logging = all
# logging prefixes
# all - universal prefix (logfile, syslog)
# logfile - logfile only
# syslog - syslog only
# Use `filter = nextcloud-auth[logging=logfile]` to get more precise regex if nextcloud logs into logfile.
# Use `filter = nextcloud-auth[logging=syslog]` to get more precise regex if nextcloud logs into syslog.
nextcloud-prefix-logfile =
nextcloud-prefix-syslog = %(__prefix_line)s
nextcloud-prefix-all = (?:%(nextcloud-prefix-syslog)s|%(nextcloud-prefix-logfile)s)
nextcloud-prefix = <nextcloud-prefix-<logging>>
# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud
_groupsre = (?:(?:,?\s*"\w+":(?:"(?:[^"\\]|\\.)*"|\w+))*)
datepattern = ^%(nextcloud-prefix)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

8
config/filter.d/nextcloud-domain.conf
View File

@ -6,12 +6,8 @@
[INCLUDES]
# Read common prefixes
before = common.conf
before = nextcloud-common.conf
[Definition]
# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.

5
fail2ban/tests/files/logs/nextcloud-auth
View File

@ -8,4 +8,7 @@
# failJSON: { "time": "2023-09-24T23:00:01.0", "match": true , "host": "141.30.226.119" }
{"reqId":"esevuyJw30I5QzJD46Yc","level":2,"time":"2023-09-24T21:00:01+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: Injection (Remote IP: 127.0.0.1) (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
# failJSON: { "time": "2023-09-24T23:05:16.0", "match": true , "host": "141.30.226.119" }
{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
# hypothetical output based on how quotation marks are quoted
# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" }
{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login\"\\","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}

5
fail2ban/tests/files/logs/nextcloud-domain
View File

@ -4,4 +4,7 @@
# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" }
{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T21:36:46+00:00","version":"27.1.0.7","data":{"app":"core"}}
# failJSON: { "time": "2023-09-24T23:48:47.0", "match": true , "host": "141.30.226.119" }
{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}}
{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}}
# hypothetical output based on how quotation marks are quoted
# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" }
{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/login\"\\","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}}