code review, makes the test cases workable, added dev-notes

config/filter.d/mongodb-auth.conf

@@ -9,17 +9,31 @@
 # auth = true
 #
 
-[Init]
-maxlines = 10
-
 [Definition]
-failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]*<SKIPLINES>\s+\[conn(?P=__connid)\] end connection <HOST>
+#failregex = ^\s+\[initandlisten\] connection accepted from <HOST>:\d+ \#(?P<__connid>\d+) \(1 connection now open\)<SKIPLINES>\s+\[conn(?P=__connid)\] Failed to authenticate\s+
+failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+<SKIPLINES>\s+\[conn(?P=__connid)\] end connection <HOST>
 
 ignoreregex =
 
 
+[Init]
+maxlines = 10
+
 # DEV Notes:
 #
+# Regarding the multiline regex:
+#
+# There can be a nunber of non-related lines between the first and second part
+# of this regex maxlines of 10 is quite generious.
+#
+# Note the capture __connid, includes the connection ID, used in second part of regex.
+#
+# The first regex is commented out (but will match also), because it is better to use
+# the host from "end connection" line (uncommented above):
+#  -  it has the same prefix, searching begins directly with failure message
+#     (so faster, because ignores success connections at all)
+#  -  it is not so vulnerable in case of possible race condition
+#
 # Log example:
 # 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open)
 # 2016-10-20T09:54:27.109+0200 [conn1]  authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
@@ -30,6 +44,6 @@ ignoreregex =
 # 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
 # 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open)
 #
-# Authors: Alexander Finkhäuser and sebres
+# Authors: Alexander Finkhäuser
-#
+#          Sergey G. Brester (sebres)
 

fail2ban/tests/files/logs/mongodb-auth

@@ -1,24 +1,30 @@
-# failJSON: { "time": "2016-11-20T00:04:00", "match": true , "host": "192.168.1.35" }
+# failJSON: { "match": false }
-2016-11-20T00:04:00.110+0200 [conn1] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@admin
+2016-11-20T00:04:00.110+0100 [conn1] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@admin
-2016-11-20T00:04:00.111+0200 [conn1] end connection 192.168.1.35:53276 (0 connections now open)
+# failJSON: { "time": "2016-11-20T00:04:00", "match": true , "host": "192.0.2.35" }
+2016-11-20T00:04:00.111+0100 [conn1] end connection 192.0.2.35:53276 (0 connections now open)
 
-# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "220.95.238.171" }
+# failJSON: { "match": false }
-2016-11-20T00:24:00.110+0200 [conn5] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@admin
+2016-11-20T00:24:00.110+0100 [conn5] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@admin
-2016-11-20T00:24:00.111+0200 [conn5] end connection 220.95.238.171:53276 (0 connections now open)
+# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "192.0.2.171" }
+2016-11-20T00:24:00.111+0100 [conn5] end connection 192.0.2.171:53276 (0 connections now open)
 
-# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "220.95.238.176" }
+# failJSON: { "match": false }
-2016-11-20T00:24:00.110+0200 [conn334] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
+2016-11-20T00:24:00.110+0100 [conn334] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
-2016-11-20T00:24:00.111+0200 [conn334] end connection 220.95.238.176:53276 (0 connections now open)
+# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "192.0.2.176" }
+2016-11-20T00:24:00.111+0100 [conn334] end connection 192.0.2.176:53276 (0 connections now open)
 
-# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "167.96.268.1" }
+# failJSON: { "match": false }
-2016-11-20T00:24:00.110+0200 [conn56] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
+2016-11-20T00:24:00.110+0100 [conn56] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
-2016-11-20T00:24:00.111+0200 [conn56] end connection 167.96.268.1:53276 (0 connections now open)
+# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "192.0.2.1" }
+2016-11-20T00:24:00.111+0100 [conn56] end connection 192.0.2.1:53276 (0 connections now open)
 
-# failJSON: { "time": "2016-11-20T00:24:00", "match": false , "host": "127.0.0.1" }
+# failJSON: { "match": false }
-2016-11-10T12:54:02.370+0100 [initandlisten] connection accepted from 127.0.0.1:58774 #2261 (1 connection now open)
+2016-11-20T12:54:02.370+0100 [initandlisten] connection accepted from 127.0.0.1:58774 #2261 (1 connection now open)
-2016-11-10T12:54:02.370+0100 [conn2261] end connection 127.0.0.1:58774 (0 connections now open)
+# failJSON: { "match": false }
+2016-11-20T12:54:02.370+0100 [conn2261] end connection 127.0.0.1:58774 (0 connections now open)
 
-# failJSON: { "time": "2016-11-10T13:07:49", "match": false , "host": "177.13.20.178" }
+# failJSON: { "match": false }
-2016-11-10T13:07:49.781+0100 [conn2271]  authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
+2016-11-20T13:07:49.781+0100 [conn2271]  authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
-2016-11-10T13:07:49.834+0100 [conn2271] end connection 177.13.20.178:60268 (3 connections now open)
+# failJSON: { "time": "2016-11-20T13:07:49", "match": false , "host": "192.0.2.178" }
+2016-11-20T13:07:49.834+0100 [conn2271] end connection 192.0.2.178:60268 (3 connections now open)