From 04e8b0ac04f106617f4f77330c1d4874bd1570c9 Mon Sep 17 00:00:00 2001 From: Eric Wolf Date: Sat, 20 Jan 2024 18:45:51 +0100 Subject: [PATCH] fix _groupsre not matching escape sequences It was moved to `nextcloud-common.conf` --- config/filter.d/nextcloud-auth.conf | 8 ++----- config/filter.d/nextcloud-common.conf | 28 ++++++++++++++++++++++ config/filter.d/nextcloud-domain.conf | 8 ++----- fail2ban/tests/files/logs/nextcloud-auth | 5 +++- fail2ban/tests/files/logs/nextcloud-domain | 5 +++- 5 files changed, 40 insertions(+), 14 deletions(-) create mode 100644 config/filter.d/nextcloud-common.conf diff --git a/config/filter.d/nextcloud-auth.conf b/config/filter.d/nextcloud-auth.conf index acb301b7..588fb8c9 100644 --- a/config/filter.d/nextcloud-auth.conf +++ b/config/filter.d/nextcloud-auth.conf @@ -5,12 +5,8 @@ [INCLUDES] -# Read common prefixes -before = common.conf +before = nextcloud-common.conf [Definition] -# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud -_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) -failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: -datepattern = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file +failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: diff --git a/config/filter.d/nextcloud-common.conf b/config/filter.d/nextcloud-common.conf new file mode 100644 index 00000000..749329d5 --- /dev/null +++ b/config/filter.d/nextcloud-common.conf @@ -0,0 +1,28 @@ +# Fail2Ban common filter file for Nextcloud +# +# Author: Sergey G. Brester (sebres) +# + +[INCLUDES] +# Read common prefixes +before = common.conf + +[DEFAULT] +logging = all + +# logging prefixes +# all - universal prefix (logfile, syslog) +# logfile - logfile only +# syslog - syslog only +# Use `filter = nextcloud-auth[logging=logfile]` to get more precise regex if nextcloud logs into logfile. +# Use `filter = nextcloud-auth[logging=syslog]` to get more precise regex if nextcloud logs into syslog. +nextcloud-prefix-logfile = +nextcloud-prefix-syslog = %(__prefix_line)s +nextcloud-prefix-all = (?:%(nextcloud-prefix-syslog)s|%(nextcloud-prefix-logfile)s) + +nextcloud-prefix = > + +# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud +_groupsre = (?:(?:,?\s*"\w+":(?:"(?:[^"\\]|\\.)*"|\w+))*) + +datepattern = ^%(nextcloud-prefix)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" diff --git a/config/filter.d/nextcloud-domain.conf b/config/filter.d/nextcloud-domain.conf index b077b07a..7d8ce4da 100644 --- a/config/filter.d/nextcloud-domain.conf +++ b/config/filter.d/nextcloud-domain.conf @@ -6,12 +6,8 @@ [INCLUDES] -# Read common prefixes -before = common.conf +before = nextcloud-common.conf [Definition] -# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud -_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) -failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. -datepattern = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file +failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. diff --git a/fail2ban/tests/files/logs/nextcloud-auth b/fail2ban/tests/files/logs/nextcloud-auth index c4440e9d..f1ac6d56 100644 --- a/fail2ban/tests/files/logs/nextcloud-auth +++ b/fail2ban/tests/files/logs/nextcloud-auth @@ -8,4 +8,7 @@ # failJSON: { "time": "2023-09-24T23:00:01.0", "match": true , "host": "141.30.226.119" } {"reqId":"esevuyJw30I5QzJD46Yc","level":2,"time":"2023-09-24T21:00:01+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: Injection (Remote IP: 127.0.0.1) (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} # failJSON: { "time": "2023-09-24T23:05:16.0", "match": true , "host": "141.30.226.119" } -{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} \ No newline at end of file +{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# hypothetical output based on how quotation marks are quoted +# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" } +{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login\"\\","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} \ No newline at end of file diff --git a/fail2ban/tests/files/logs/nextcloud-domain b/fail2ban/tests/files/logs/nextcloud-domain index 16654674..8368a678 100644 --- a/fail2ban/tests/files/logs/nextcloud-domain +++ b/fail2ban/tests/files/logs/nextcloud-domain @@ -4,4 +4,7 @@ # failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } {"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T21:36:46+00:00","version":"27.1.0.7","data":{"app":"core"}} # failJSON: { "time": "2023-09-24T23:48:47.0", "match": true , "host": "141.30.226.119" } -{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}} \ No newline at end of file +{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}} +# hypothetical output based on how quotation marks are quoted +# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } +{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/login\"\\","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}} \ No newline at end of file