From 8c407665119e37dd3f27433bc20bac813c9d3c05 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 10 Nov 2016 06:29:42 +0100 Subject: [PATCH 1/4] Add Mongodb-auth filter and jail --- config/filter.d/mongodb-auth.conf | 28 ++++++++++++++++++++++++++++ config/jail.conf | 12 ++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 config/filter.d/mongodb-auth.conf diff --git a/config/filter.d/mongodb-auth.conf b/config/filter.d/mongodb-auth.conf new file mode 100644 index 00000000..77443f9c --- /dev/null +++ b/config/filter.d/mongodb-auth.conf @@ -0,0 +1,28 @@ +# Fail2Ban filter for unsuccesfull MongoDB authentication attempts +# +# + +[Init] +maxlines = 10 + +[Definition] +failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]*\s+\[conn(?P=__connid)\] end connection + +ignoreregex = + + +# DEV Notes: +# +# Log example: +# 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open) +# 2016-10-20T09:54:27.109+0200 [conn1] authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } +# 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test +# 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open) +# 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open) +# 2016-11-09T11:55:58.892+0100 [conn1510] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } +# 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch +# 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open) +# +# Authors: Alexander Finkhäuser and sebres +# + diff --git a/config/jail.conf b/config/jail.conf index 41d8d3b8..50ecbd72 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -731,6 +731,18 @@ logpath = %(mysql_log)s backend = %(mysql_backend)s +# Log wrong MongoDB auth +# Logfile /var/log/mongodb/mongodb.log +# add setting in /etc/mongodb.conf +# logpath=/var/log/mongodb/mongodb.log +# +# and use of the authentication +# auth = true +[mongodb-auth] +port = 27017 +logpath = /var/log/mongodb/mongodb.log + + # Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local From 8ac28e5dcb73a70cc5caa8ff8df60ed5b901a9d6 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 10 Nov 2016 13:09:32 +0100 Subject: [PATCH 2/4] Make changes and add test file --- config/filter.d/mongodb-auth.conf | 7 +++++++ config/jail.conf | 8 +------- fail2ban/tests/files/logs/mongodb-auth | 24 ++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 7 deletions(-) create mode 100644 fail2ban/tests/files/logs/mongodb-auth diff --git a/config/filter.d/mongodb-auth.conf b/config/filter.d/mongodb-auth.conf index 77443f9c..43462e73 100644 --- a/config/filter.d/mongodb-auth.conf +++ b/config/filter.d/mongodb-auth.conf @@ -1,5 +1,12 @@ # Fail2Ban filter for unsuccesfull MongoDB authentication attempts # +# Logfile /var/log/mongodb/mongodb.log +# +# add setting in /etc/mongodb.conf +# logpath=/var/log/mongodb/mongodb.log +# +# and use of the authentication +# auth = true # [Init] diff --git a/config/jail.conf b/config/jail.conf index 50ecbd72..0778a318 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -731,13 +731,7 @@ logpath = %(mysql_log)s backend = %(mysql_backend)s -# Log wrong MongoDB auth -# Logfile /var/log/mongodb/mongodb.log -# add setting in /etc/mongodb.conf -# logpath=/var/log/mongodb/mongodb.log -# -# and use of the authentication -# auth = true +# Log wrong MongoDB auth (for details how ... see filter ...) [mongodb-auth] port = 27017 logpath = /var/log/mongodb/mongodb.log diff --git a/fail2ban/tests/files/logs/mongodb-auth b/fail2ban/tests/files/logs/mongodb-auth new file mode 100644 index 00000000..a9c7b99b --- /dev/null +++ b/fail2ban/tests/files/logs/mongodb-auth @@ -0,0 +1,24 @@ +# failJSON: { "time": "2016-11-20T00:04:00", "match": true , "host": "192.168.1.35" } +2016-11-20T00:04:00.110+0200 [conn1] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@admin +2016-11-20T00:04:00.111+0200 [conn1] end connection 192.168.1.35:53276 (0 connections now open) + +# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "220.95.238.171" } +2016-11-20T00:24:00.110+0200 [conn5] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@admin +2016-11-20T00:24:00.111+0200 [conn5] end connection 220.95.238.171:53276 (0 connections now open) + +# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "220.95.238.176" } +2016-11-20T00:24:00.110+0200 [conn334] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch +2016-11-20T00:24:00.111+0200 [conn334] end connection 220.95.238.176:53276 (0 connections now open) + +# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "167.96.268.1" } +2016-11-20T00:24:00.110+0200 [conn56] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch +2016-11-20T00:24:00.111+0200 [conn56] end connection 167.96.268.1:53276 (0 connections now open) + +# failJSON: { "time": "2016-11-20T00:24:00", "match": false , "host": "127.0.0.1" } +2016-11-10T12:54:02.370+0100 [initandlisten] connection accepted from 127.0.0.1:58774 #2261 (1 connection now open) +2016-11-10T12:54:02.370+0100 [conn2261] end connection 127.0.0.1:58774 (0 connections now open) + +# failJSON: { "time": "2016-11-10T13:07:49", "match": false , "host": "177.13.20.178" } +2016-11-10T13:07:49.781+0100 [conn2271] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } +2016-11-10T13:07:49.834+0100 [conn2271] end connection 177.13.20.178:60268 (3 connections now open) + From 425170cef3d9c2f3ac98361d931111575a8a8fc2 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 28 Nov 2016 18:37:12 +0100 Subject: [PATCH 3/4] code review, makes the test cases workable, added dev-notes --- config/filter.d/mongodb-auth.conf | 26 ++++++++++++---- fail2ban/tests/files/logs/mongodb-auth | 42 +++++++++++++++----------- 2 files changed, 44 insertions(+), 24 deletions(-) diff --git a/config/filter.d/mongodb-auth.conf b/config/filter.d/mongodb-auth.conf index 43462e73..66c27abb 100644 --- a/config/filter.d/mongodb-auth.conf +++ b/config/filter.d/mongodb-auth.conf @@ -9,17 +9,31 @@ # auth = true # -[Init] -maxlines = 10 - [Definition] -failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]*\s+\[conn(?P=__connid)\] end connection +#failregex = ^\s+\[initandlisten\] connection accepted from :\d+ \#(?P<__connid>\d+) \(1 connection now open\)\s+\[conn(?P=__connid)\] Failed to authenticate\s+ +failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+\s+\[conn(?P=__connid)\] end connection ignoreregex = +[Init] +maxlines = 10 + # DEV Notes: # +# Regarding the multiline regex: +# +# There can be a nunber of non-related lines between the first and second part +# of this regex maxlines of 10 is quite generious. +# +# Note the capture __connid, includes the connection ID, used in second part of regex. +# +# The first regex is commented out (but will match also), because it is better to use +# the host from "end connection" line (uncommented above): +# - it has the same prefix, searching begins directly with failure message +# (so faster, because ignores success connections at all) +# - it is not so vulnerable in case of possible race condition +# # Log example: # 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open) # 2016-10-20T09:54:27.109+0200 [conn1] authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } @@ -30,6 +44,6 @@ ignoreregex = # 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch # 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open) # -# Authors: Alexander Finkhäuser and sebres -# +# Authors: Alexander Finkhäuser +# Sergey G. Brester (sebres) diff --git a/fail2ban/tests/files/logs/mongodb-auth b/fail2ban/tests/files/logs/mongodb-auth index a9c7b99b..8a308892 100644 --- a/fail2ban/tests/files/logs/mongodb-auth +++ b/fail2ban/tests/files/logs/mongodb-auth @@ -1,24 +1,30 @@ -# failJSON: { "time": "2016-11-20T00:04:00", "match": true , "host": "192.168.1.35" } -2016-11-20T00:04:00.110+0200 [conn1] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@admin -2016-11-20T00:04:00.111+0200 [conn1] end connection 192.168.1.35:53276 (0 connections now open) +# failJSON: { "match": false } +2016-11-20T00:04:00.110+0100 [conn1] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@admin +# failJSON: { "time": "2016-11-20T00:04:00", "match": true , "host": "192.0.2.35" } +2016-11-20T00:04:00.111+0100 [conn1] end connection 192.0.2.35:53276 (0 connections now open) -# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "220.95.238.171" } -2016-11-20T00:24:00.110+0200 [conn5] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@admin -2016-11-20T00:24:00.111+0200 [conn5] end connection 220.95.238.171:53276 (0 connections now open) +# failJSON: { "match": false } +2016-11-20T00:24:00.110+0100 [conn5] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@admin +# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "192.0.2.171" } +2016-11-20T00:24:00.111+0100 [conn5] end connection 192.0.2.171:53276 (0 connections now open) -# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "220.95.238.176" } -2016-11-20T00:24:00.110+0200 [conn334] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch -2016-11-20T00:24:00.111+0200 [conn334] end connection 220.95.238.176:53276 (0 connections now open) +# failJSON: { "match": false } +2016-11-20T00:24:00.110+0100 [conn334] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch +# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "192.0.2.176" } +2016-11-20T00:24:00.111+0100 [conn334] end connection 192.0.2.176:53276 (0 connections now open) -# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "167.96.268.1" } -2016-11-20T00:24:00.110+0200 [conn56] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch -2016-11-20T00:24:00.111+0200 [conn56] end connection 167.96.268.1:53276 (0 connections now open) +# failJSON: { "match": false } +2016-11-20T00:24:00.110+0100 [conn56] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch +# failJSON: { "time": "2016-11-20T00:24:00", "match": true , "host": "192.0.2.1" } +2016-11-20T00:24:00.111+0100 [conn56] end connection 192.0.2.1:53276 (0 connections now open) -# failJSON: { "time": "2016-11-20T00:24:00", "match": false , "host": "127.0.0.1" } -2016-11-10T12:54:02.370+0100 [initandlisten] connection accepted from 127.0.0.1:58774 #2261 (1 connection now open) -2016-11-10T12:54:02.370+0100 [conn2261] end connection 127.0.0.1:58774 (0 connections now open) +# failJSON: { "match": false } +2016-11-20T12:54:02.370+0100 [initandlisten] connection accepted from 127.0.0.1:58774 #2261 (1 connection now open) +# failJSON: { "match": false } +2016-11-20T12:54:02.370+0100 [conn2261] end connection 127.0.0.1:58774 (0 connections now open) -# failJSON: { "time": "2016-11-10T13:07:49", "match": false , "host": "177.13.20.178" } -2016-11-10T13:07:49.781+0100 [conn2271] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } -2016-11-10T13:07:49.834+0100 [conn2271] end connection 177.13.20.178:60268 (3 connections now open) +# failJSON: { "match": false } +2016-11-20T13:07:49.781+0100 [conn2271] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } +# failJSON: { "time": "2016-11-20T13:07:49", "match": false , "host": "192.0.2.178" } +2016-11-20T13:07:49.834+0100 [conn2271] end connection 192.0.2.178:60268 (3 connections now open) From 67c14afd8ee1c1cd3edc417474ab7afc65e1b393 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 28 Nov 2016 18:51:23 +0100 Subject: [PATCH 4/4] ChangeLog entry added + jail.conf review --- ChangeLog | 4 ++++ config/jail.conf | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2a6b5733..45d3ad99 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,10 @@ releases. * New Actions: - `action.d/npf.conf` for NPF, the latest packet filter for NetBSD +* New Filters: + - `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine) + + ### Enhancements * DateTemplate regexp extended with the word-end boundary, additionally to word-start boundary diff --git a/config/jail.conf b/config/jail.conf index 0778a318..4d9f3345 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -731,8 +731,9 @@ logpath = %(mysql_log)s backend = %(mysql_backend)s -# Log wrong MongoDB auth (for details how ... see filter ...) +# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] +# change port when running with "--shardsvr" or "--configsvr" runtime operation port = 27017 logpath = /var/log/mongodb/mongodb.log