diff --git a/config/filter.d/mongodb-auth.conf b/config/filter.d/mongodb-auth.conf new file mode 100644 index 00000000..77443f9c --- /dev/null +++ b/config/filter.d/mongodb-auth.conf @@ -0,0 +1,28 @@ +# Fail2Ban filter for unsuccesfull MongoDB authentication attempts +# +# + +[Init] +maxlines = 10 + +[Definition] +failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]*\s+\[conn(?P=__connid)\] end connection + +ignoreregex = + + +# DEV Notes: +# +# Log example: +# 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open) +# 2016-10-20T09:54:27.109+0200 [conn1] authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } +# 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test +# 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open) +# 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open) +# 2016-11-09T11:55:58.892+0100 [conn1510] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } +# 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch +# 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open) +# +# Authors: Alexander Finkhäuser and sebres +# + diff --git a/config/jail.conf b/config/jail.conf index 41d8d3b8..50ecbd72 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -731,6 +731,18 @@ logpath = %(mysql_log)s backend = %(mysql_backend)s +# Log wrong MongoDB auth +# Logfile /var/log/mongodb/mongodb.log +# add setting in /etc/mongodb.conf +# logpath=/var/log/mongodb/mongodb.log +# +# and use of the authentication +# auth = true +[mongodb-auth] +port = 27017 +logpath = /var/log/mongodb/mongodb.log + + # Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local