From a3df1ab3f0674fa764be5c67805f5e1a0fd8e153 Mon Sep 17 00:00:00 2001 From: Mart124 <37041094+Mart124@users.noreply.github.com> Date: Mon, 25 Nov 2019 21:50:16 +0100 Subject: [PATCH 1/8] Create bitwarden --- fail2ban/tests/files/logs/bitwarden | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 fail2ban/tests/files/logs/bitwarden diff --git a/fail2ban/tests/files/logs/bitwarden b/fail2ban/tests/files/logs/bitwarden new file mode 100644 index 00000000..2748a944 --- /dev/null +++ b/fail2ban/tests/files/logs/bitwarden @@ -0,0 +1,5 @@ +# failJSON: { "time": "2019-11-26T01:04:49", "match": true , "host": "192.168.0.16" } +2019-11-26 01:04:49.008 +08:00 [WRN] Failed login attempt. 192.168.0.16 + +# failJSON: { "time": "2019-11-25T21:39:58", "match": true , "host": "192.168.0.21" } +2019-11-25 21:39:58.464 +01:00 [WRN] Failed login attempt, 2FA invalid. 192.168.0.21 From ef394b3cf03a065d60f6ad1509f412565d547224 Mon Sep 17 00:00:00 2001 From: Mart124 <37041094+Mart124@users.noreply.github.com> Date: Mon, 25 Nov 2019 21:55:45 +0100 Subject: [PATCH 2/8] Update jail.conf --- config/jail.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index b39b3a6c..d1792553 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -821,6 +821,10 @@ udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +[centreon] +port = http,https +logpath = /home/*/bwdata/logs/identity/Identity/log.txt + [centreon] port = http,https logpath = /var/log/centreon/login.log From 30e742a849129897f9016cd5df6e3f9be2d495f8 Mon Sep 17 00:00:00 2001 From: Mart124 <37041094+Mart124@users.noreply.github.com> Date: Mon, 25 Nov 2019 21:57:41 +0100 Subject: [PATCH 3/8] Update jail.conf --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index d1792553..41495a09 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -821,7 +821,7 @@ udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] -[centreon] +[bitwarden] port = http,https logpath = /home/*/bwdata/logs/identity/Identity/log.txt From 79caeaa52024f31635adbae6b8d2b65f2127ba38 Mon Sep 17 00:00:00 2001 From: Mart124 <37041094+Mart124@users.noreply.github.com> Date: Mon, 25 Nov 2019 22:05:29 +0100 Subject: [PATCH 4/8] Create bitwarden.conf --- config/filter.d/bitwarden.conf | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 config/filter.d/bitwarden.conf diff --git a/config/filter.d/bitwarden.conf b/config/filter.d/bitwarden.conf new file mode 100644 index 00000000..4cebcedf --- /dev/null +++ b/config/filter.d/bitwarden.conf @@ -0,0 +1,9 @@ +# Fail2Ban filter for Bitwarden +# Detecting failed login attempts +# Logged in bwdata/logs/identity/Identity/log.txt + +[Init] +datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S + +[Definition] +failregex = ^.*Failed login attempt(, 2FA invalid)\. $ From 869327e9b18e5fd9c84813609e094c4d6646e6b8 Mon Sep 17 00:00:00 2001 From: Mart124 <37041094+Mart124@users.noreply.github.com> Date: Mon, 25 Nov 2019 22:17:58 +0100 Subject: [PATCH 5/8] Update bitwarden.conf --- config/filter.d/bitwarden.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/bitwarden.conf b/config/filter.d/bitwarden.conf index 4cebcedf..1c49fdc4 100644 --- a/config/filter.d/bitwarden.conf +++ b/config/filter.d/bitwarden.conf @@ -6,4 +6,4 @@ datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S [Definition] -failregex = ^.*Failed login attempt(, 2FA invalid)\. $ +failregex = ^.*Failed login attempt(, 2FA invalid)?\. $ From d7b707b09d2b7908976153f7e36eff6b14f94457 Mon Sep 17 00:00:00 2001 From: Mart124 <37041094+Mart124@users.noreply.github.com> Date: Wed, 27 Nov 2019 00:09:22 +0100 Subject: [PATCH 6/8] Update bitwarden.conf --- config/filter.d/bitwarden.conf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/config/filter.d/bitwarden.conf b/config/filter.d/bitwarden.conf index 1c49fdc4..6a9e87e6 100644 --- a/config/filter.d/bitwarden.conf +++ b/config/filter.d/bitwarden.conf @@ -2,8 +2,5 @@ # Detecting failed login attempts # Logged in bwdata/logs/identity/Identity/log.txt -[Init] -datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S - [Definition] -failregex = ^.*Failed login attempt(, 2FA invalid)?\. $ +failregex = ^\s*\[\w+\]\s+Failed login attempt(?:, 2FA invalid)?\. $ From 566cbcdde0a4cd5670f3dcd1415a77845304a396 Mon Sep 17 00:00:00 2001 From: Mart124 <37041094+Mart124@users.noreply.github.com> Date: Wed, 27 Nov 2019 00:14:18 +0100 Subject: [PATCH 7/8] Update bitwarden --- fail2ban/tests/files/logs/bitwarden | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/bitwarden b/fail2ban/tests/files/logs/bitwarden index 2748a944..3642b3bf 100644 --- a/fail2ban/tests/files/logs/bitwarden +++ b/fail2ban/tests/files/logs/bitwarden @@ -1,4 +1,4 @@ -# failJSON: { "time": "2019-11-26T01:04:49", "match": true , "host": "192.168.0.16" } +# failJSON: { "time": "2019-11-25T18:04:49", "match": true , "host": "192.168.0.16" } 2019-11-26 01:04:49.008 +08:00 [WRN] Failed login attempt. 192.168.0.16 # failJSON: { "time": "2019-11-25T21:39:58", "match": true , "host": "192.168.0.21" } From e763c657c4288df88f9fd2c02b5d2428b688e938 Mon Sep 17 00:00:00 2001 From: Mart124 <37041094+Mart124@users.noreply.github.com> Date: Wed, 27 Nov 2019 00:32:10 +0100 Subject: [PATCH 8/8] Let's get back to WRN --- config/filter.d/bitwarden.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/bitwarden.conf b/config/filter.d/bitwarden.conf index 6a9e87e6..29bd4be8 100644 --- a/config/filter.d/bitwarden.conf +++ b/config/filter.d/bitwarden.conf @@ -3,4 +3,4 @@ # Logged in bwdata/logs/identity/Identity/log.txt [Definition] -failregex = ^\s*\[\w+\]\s+Failed login attempt(?:, 2FA invalid)?\. $ +failregex = ^\s*\[WRN\]\s+Failed login attempt(?:, 2FA invalid)?\. $