Add Mongodb-auth filter and jail

config/filter.d/mongodb-auth.conf

@@ -0,0 +1,28 @@
+# Fail2Ban filter for unsuccesfull MongoDB authentication attempts
+#
+#
+
+[Init]
+maxlines = 10
+
+[Definition]
+failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]*<SKIPLINES>\s+\[conn(?P=__connid)\] end connection <HOST>
+
+ignoreregex =
+
+
+# DEV Notes:
+#
+# Log example:
+# 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open)
+# 2016-10-20T09:54:27.109+0200 [conn1]  authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
+# 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test
+# 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open)
+# 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open)
+# 2016-11-09T11:55:58.892+0100 [conn1510]  authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
+# 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
+# 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open)
+#
+# Authors: Alexander Finkhäuser and sebres
+#
+

config/jail.conf

@@ -731,6 +731,18 @@ logpath  = %(mysql_log)s
 backend  = %(mysql_backend)s
 
 
+# Log wrong MongoDB auth
+# Logfile /var/log/mongodb/mongodb.log
+# add setting in /etc/mongodb.conf
+# logpath=/var/log/mongodb/mongodb.log
+#
+# and use of the authentication
+# auth = true
+[mongodb-auth]
+port     = 27017
+logpath  = /var/log/mongodb/mongodb.log
+
+
 # Jail for more extended banning of persistent abusers
 # !!! WARNINGS !!!
 # 1. Make sure that your loglevel specified in fail2ban.conf/.local