From f89d58e51cdcaab92da1648e068fc9bea3f1318d Mon Sep 17 00:00:00 2001 From: Eric Wolf Date: Mon, 25 Sep 2023 00:29:52 +0200 Subject: [PATCH 1/8] add nextcloud filters The filters are based on the one in the hardening guide but split to allow different jails. --- config/filter.d/nextcloud-auth.conf | 18 ++++++++++++++++++ config/filter.d/nextcloud-domain.conf | 19 +++++++++++++++++++ fail2ban/tests/files/logs/nextcloud-auth | 11 +++++++++++ fail2ban/tests/files/logs/nextcloud-domain | 7 +++++++ 4 files changed, 55 insertions(+) create mode 100644 config/filter.d/nextcloud-auth.conf create mode 100644 config/filter.d/nextcloud-domain.conf create mode 100644 fail2ban/tests/files/logs/nextcloud-auth create mode 100644 fail2ban/tests/files/logs/nextcloud-domain diff --git a/config/filter.d/nextcloud-auth.conf b/config/filter.d/nextcloud-auth.conf new file mode 100644 index 00000000..d20011b8 --- /dev/null +++ b/config/filter.d/nextcloud-auth.conf @@ -0,0 +1,18 @@ +# Fail2Ban filter file for Nextcloud login failures +# +# Author: Eric Wolf +# + +[INCLUDES] + +# Read common prefixes +before = common.conf + +after = nextcloud-auth.local + +[Definition] + +# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file diff --git a/config/filter.d/nextcloud-domain.conf b/config/filter.d/nextcloud-domain.conf new file mode 100644 index 00000000..2133a107 --- /dev/null +++ b/config/filter.d/nextcloud-domain.conf @@ -0,0 +1,19 @@ +# Fail2Ban filter file for Nextcloud trusted domain errors +# +# Author: Eric Wolf +# Notice: Nextcloud log level has to be configured to include infos +# + +[INCLUDES] + +# Read common prefixes +before = common.conf + +after = nextcloud-domain.local + +[Definition] + +# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file diff --git a/fail2ban/tests/files/logs/nextcloud-auth b/fail2ban/tests/files/logs/nextcloud-auth new file mode 100644 index 00000000..c4440e9d --- /dev/null +++ b/fail2ban/tests/files/logs/nextcloud-auth @@ -0,0 +1,11 @@ +# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" } +{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# moved time to a different location which has not been observed in logs but should be matched successfully +# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" } +{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T20:34:37+00:00","version":"27.1.0.7","data":[]} +# failJSON: { "time": "2023-09-24T22:58:33.0", "match": true , "host": "141.30.226.119" } +{"reqId":"FjzPcU7QINXYX3HhwOkO","level":2,"time":"2023-09-24T20:58:33+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: \"remoteAddr\":\"127.0.0.1\" (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# failJSON: { "time": "2023-09-24T23:00:01.0", "match": true , "host": "141.30.226.119" } +{"reqId":"esevuyJw30I5QzJD46Yc","level":2,"time":"2023-09-24T21:00:01+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: Injection (Remote IP: 127.0.0.1) (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# failJSON: { "time": "2023-09-24T23:05:16.0", "match": true , "host": "141.30.226.119" } +{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} \ No newline at end of file diff --git a/fail2ban/tests/files/logs/nextcloud-domain b/fail2ban/tests/files/logs/nextcloud-domain new file mode 100644 index 00000000..16654674 --- /dev/null +++ b/fail2ban/tests/files/logs/nextcloud-domain @@ -0,0 +1,7 @@ +# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } +{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}} +# moved time to a different location which has not been observed in logs but should be matched successfully +# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } +{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T21:36:46+00:00","version":"27.1.0.7","data":{"app":"core"}} +# failJSON: { "time": "2023-09-24T23:48:47.0", "match": true , "host": "141.30.226.119" } +{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}} \ No newline at end of file From 9ff686cbb41be465e3029f3d06c6b11962cd83a2 Mon Sep 17 00:00:00 2001 From: Eric Wolf Date: Mon, 25 Sep 2023 00:40:01 +0200 Subject: [PATCH 2/8] add nextcloud jails --- config/jail.conf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index 01e1fdf7..936da047 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -898,6 +898,15 @@ logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1 +[nextcloud-auth] +# logpath depends on the installation +port = http,https +protocol = tcp + +[nextcloud-domain] +# logpath depends on the installation +port = http,https +protocol = tcp [oracleims] # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above From 5c9fd4e2abbaaca5d2c424b8c2c921fa814b9614 Mon Sep 17 00:00:00 2001 From: Eric Wolf Date: Thu, 18 Jan 2024 21:45:00 +0100 Subject: [PATCH 3/8] correct author --- config/filter.d/nextcloud-auth.conf | 2 +- config/filter.d/nextcloud-domain.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/nextcloud-auth.conf b/config/filter.d/nextcloud-auth.conf index d20011b8..6b85af91 100644 --- a/config/filter.d/nextcloud-auth.conf +++ b/config/filter.d/nextcloud-auth.conf @@ -1,6 +1,6 @@ # Fail2Ban filter file for Nextcloud login failures # -# Author: Eric Wolf +# Author: Sergey G. Brester (sebres) # [INCLUDES] diff --git a/config/filter.d/nextcloud-domain.conf b/config/filter.d/nextcloud-domain.conf index 2133a107..6010850c 100644 --- a/config/filter.d/nextcloud-domain.conf +++ b/config/filter.d/nextcloud-domain.conf @@ -1,6 +1,6 @@ # Fail2Ban filter file for Nextcloud trusted domain errors # -# Author: Eric Wolf +# Author: Sergey G. Brester (sebres) and eibex # Notice: Nextcloud log level has to be configured to include infos # From dd4d80fe27a9e272bd26b1e6ef05eba5f5846f57 Mon Sep 17 00:00:00 2001 From: Eric Wolf Date: Thu, 18 Jan 2024 21:46:53 +0100 Subject: [PATCH 4/8] remove superfluous includes --- config/filter.d/nextcloud-auth.conf | 2 -- config/filter.d/nextcloud-domain.conf | 2 -- 2 files changed, 4 deletions(-) diff --git a/config/filter.d/nextcloud-auth.conf b/config/filter.d/nextcloud-auth.conf index 6b85af91..3eff0772 100644 --- a/config/filter.d/nextcloud-auth.conf +++ b/config/filter.d/nextcloud-auth.conf @@ -8,8 +8,6 @@ # Read common prefixes before = common.conf -after = nextcloud-auth.local - [Definition] # based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud diff --git a/config/filter.d/nextcloud-domain.conf b/config/filter.d/nextcloud-domain.conf index 6010850c..b73164bd 100644 --- a/config/filter.d/nextcloud-domain.conf +++ b/config/filter.d/nextcloud-domain.conf @@ -9,8 +9,6 @@ # Read common prefixes before = common.conf -after = nextcloud-domain.local - [Definition] # based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud From 456b570a91a6e296d0c8d5553a18ffdef29e9477 Mon Sep 17 00:00:00 2001 From: Eric Wolf Date: Thu, 18 Jan 2024 22:02:13 +0100 Subject: [PATCH 5/8] anchor date pattern --- config/filter.d/nextcloud-auth.conf | 2 +- config/filter.d/nextcloud-domain.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/nextcloud-auth.conf b/config/filter.d/nextcloud-auth.conf index 3eff0772..acb301b7 100644 --- a/config/filter.d/nextcloud-auth.conf +++ b/config/filter.d/nextcloud-auth.conf @@ -13,4 +13,4 @@ before = common.conf # based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: -datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file +datepattern = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file diff --git a/config/filter.d/nextcloud-domain.conf b/config/filter.d/nextcloud-domain.conf index b73164bd..b077b07a 100644 --- a/config/filter.d/nextcloud-domain.conf +++ b/config/filter.d/nextcloud-domain.conf @@ -14,4 +14,4 @@ before = common.conf # based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. -datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file +datepattern = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file From 04e8b0ac04f106617f4f77330c1d4874bd1570c9 Mon Sep 17 00:00:00 2001 From: Eric Wolf Date: Sat, 20 Jan 2024 18:45:51 +0100 Subject: [PATCH 6/8] fix _groupsre not matching escape sequences It was moved to `nextcloud-common.conf` --- config/filter.d/nextcloud-auth.conf | 8 ++----- config/filter.d/nextcloud-common.conf | 28 ++++++++++++++++++++++ config/filter.d/nextcloud-domain.conf | 8 ++----- fail2ban/tests/files/logs/nextcloud-auth | 5 +++- fail2ban/tests/files/logs/nextcloud-domain | 5 +++- 5 files changed, 40 insertions(+), 14 deletions(-) create mode 100644 config/filter.d/nextcloud-common.conf diff --git a/config/filter.d/nextcloud-auth.conf b/config/filter.d/nextcloud-auth.conf index acb301b7..588fb8c9 100644 --- a/config/filter.d/nextcloud-auth.conf +++ b/config/filter.d/nextcloud-auth.conf @@ -5,12 +5,8 @@ [INCLUDES] -# Read common prefixes -before = common.conf +before = nextcloud-common.conf [Definition] -# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud -_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) -failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: -datepattern = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file +failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: diff --git a/config/filter.d/nextcloud-common.conf b/config/filter.d/nextcloud-common.conf new file mode 100644 index 00000000..749329d5 --- /dev/null +++ b/config/filter.d/nextcloud-common.conf @@ -0,0 +1,28 @@ +# Fail2Ban common filter file for Nextcloud +# +# Author: Sergey G. Brester (sebres) +# + +[INCLUDES] +# Read common prefixes +before = common.conf + +[DEFAULT] +logging = all + +# logging prefixes +# all - universal prefix (logfile, syslog) +# logfile - logfile only +# syslog - syslog only +# Use `filter = nextcloud-auth[logging=logfile]` to get more precise regex if nextcloud logs into logfile. +# Use `filter = nextcloud-auth[logging=syslog]` to get more precise regex if nextcloud logs into syslog. +nextcloud-prefix-logfile = +nextcloud-prefix-syslog = %(__prefix_line)s +nextcloud-prefix-all = (?:%(nextcloud-prefix-syslog)s|%(nextcloud-prefix-logfile)s) + +nextcloud-prefix = > + +# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud +_groupsre = (?:(?:,?\s*"\w+":(?:"(?:[^"\\]|\\.)*"|\w+))*) + +datepattern = ^%(nextcloud-prefix)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" diff --git a/config/filter.d/nextcloud-domain.conf b/config/filter.d/nextcloud-domain.conf index b077b07a..7d8ce4da 100644 --- a/config/filter.d/nextcloud-domain.conf +++ b/config/filter.d/nextcloud-domain.conf @@ -6,12 +6,8 @@ [INCLUDES] -# Read common prefixes -before = common.conf +before = nextcloud-common.conf [Definition] -# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud -_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) -failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. -datepattern = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file +failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. diff --git a/fail2ban/tests/files/logs/nextcloud-auth b/fail2ban/tests/files/logs/nextcloud-auth index c4440e9d..f1ac6d56 100644 --- a/fail2ban/tests/files/logs/nextcloud-auth +++ b/fail2ban/tests/files/logs/nextcloud-auth @@ -8,4 +8,7 @@ # failJSON: { "time": "2023-09-24T23:00:01.0", "match": true , "host": "141.30.226.119" } {"reqId":"esevuyJw30I5QzJD46Yc","level":2,"time":"2023-09-24T21:00:01+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: Injection (Remote IP: 127.0.0.1) (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} # failJSON: { "time": "2023-09-24T23:05:16.0", "match": true , "host": "141.30.226.119" } -{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} \ No newline at end of file +{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# hypothetical output based on how quotation marks are quoted +# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" } +{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login\"\\","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} \ No newline at end of file diff --git a/fail2ban/tests/files/logs/nextcloud-domain b/fail2ban/tests/files/logs/nextcloud-domain index 16654674..8368a678 100644 --- a/fail2ban/tests/files/logs/nextcloud-domain +++ b/fail2ban/tests/files/logs/nextcloud-domain @@ -4,4 +4,7 @@ # failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } {"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T21:36:46+00:00","version":"27.1.0.7","data":{"app":"core"}} # failJSON: { "time": "2023-09-24T23:48:47.0", "match": true , "host": "141.30.226.119" } -{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}} \ No newline at end of file +{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}} +# hypothetical output based on how quotation marks are quoted +# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } +{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/login\"\\","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}} \ No newline at end of file From 55bf772b0585039a848913787696be419bc10471 Mon Sep 17 00:00:00 2001 From: Eric Niklas Wolf Date: Mon, 22 Jan 2024 11:07:30 +0100 Subject: [PATCH 7/8] remove pointless quantifier in datepattern --- config/filter.d/nextcloud-common.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/nextcloud-common.conf b/config/filter.d/nextcloud-common.conf index 749329d5..14cb001f 100644 --- a/config/filter.d/nextcloud-common.conf +++ b/config/filter.d/nextcloud-common.conf @@ -25,4 +25,4 @@ nextcloud-prefix = > # based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud _groupsre = (?:(?:,?\s*"\w+":(?:"(?:[^"\\]|\\.)*"|\w+))*) -datepattern = ^%(nextcloud-prefix)s?\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" +datepattern = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" From 9c83a7121c428f0471f542e3657067c60a65c314 Mon Sep 17 00:00:00 2001 From: Eric Wolf Date: Sun, 4 Feb 2024 22:50:13 +0100 Subject: [PATCH 8/8] add notice about false positives --- config/filter.d/nextcloud-auth.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/filter.d/nextcloud-auth.conf b/config/filter.d/nextcloud-auth.conf index 588fb8c9..14d1b865 100644 --- a/config/filter.d/nextcloud-auth.conf +++ b/config/filter.d/nextcloud-auth.conf @@ -1,6 +1,8 @@ # Fail2Ban filter file for Nextcloud login failures # # Author: Sergey G. Brester (sebres) +# Notice: Is also triggered by problems with the authentication provider, +# see https://github.com/fail2ban/fail2ban/pull/3581#issuecomment-1924903039 # [INCLUDES]