diff --git a/ChangeLog b/ChangeLog index d1aa66c55..96c58bb59 100644 --- a/ChangeLog +++ b/ChangeLog @@ -73,6 +73,7 @@ ver. 0.10.6-dev (20??/??/??) - development edition * new filter and jail for GitLab recognizing failed application logins (gh-2689) * new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723) * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured (gh-2631) +* `filter.d/bitwarden.conf` enhanced to support syslog (gh-2778) * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex; * datetemplate: improved anchor detection for capturing groups `(^...)`; * datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc) diff --git a/config/filter.d/bitwarden.conf b/config/filter.d/bitwarden.conf index 29bd4be8a..b0651c8e7 100644 --- a/config/filter.d/bitwarden.conf +++ b/config/filter.d/bitwarden.conf @@ -2,5 +2,12 @@ # Detecting failed login attempts # Logged in bwdata/logs/identity/Identity/log.txt +[INCLUDES] +before = common.conf + [Definition] -failregex = ^\s*\[WRN\]\s+Failed login attempt(?:, 2FA invalid)?\. $ +_daemon = Bitwarden-Identity +failregex = ^%(__prefix_line)s\s*\[(?:W(?:RN|arning)|Bit\.Core\.[^\]]+)\]\s+Failed login attempt(?:, 2FA invalid)?\. $ + +# DEV Notes: +# __prefix_line can result to an empty string, so it can support syslog and non-syslog at once. diff --git a/fail2ban/tests/files/logs/bitwarden b/fail2ban/tests/files/logs/bitwarden index 3642b3bfb..0fede6c66 100644 --- a/fail2ban/tests/files/logs/bitwarden +++ b/fail2ban/tests/files/logs/bitwarden @@ -3,3 +3,9 @@ # failJSON: { "time": "2019-11-25T21:39:58", "match": true , "host": "192.168.0.21" } 2019-11-25 21:39:58.464 +01:00 [WRN] Failed login attempt, 2FA invalid. 192.168.0.21 + +# failJSON: { "time": "2019-11-25T21:39:58", "match": true , "host": "192.168.0.21" } +2019-11-25 21:39:58.464 +01:00 [Warning] Failed login attempt, 2FA invalid. 192.168.0.21 + +# failJSON: { "time": "2019-09-24T13:16:50", "match": true , "host": "192.168.0.23" } +2019-09-24T13:16:50 e5a81dbf7fd1 Bitwarden-Identity[1]: [Bit.Core.IdentityServer.ResourceOwnerPasswordValidator] Failed login attempt. 192.168.0.23