Merge pull request #1310 from yarikoptic/pr-1288

NF: HAProxy HTTP Auth filter
9 years ago · 905c87ca4a
parent 3dc57af19c 3f437b32db
commit 905c87ca4a
4 changed files with 50 additions and 0 deletions
--- a/2
+++ b/2
@ -52,6 +52,8 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released
       request processing rate (ngx_http_limit_req_module)
     - murmur - ban hosts that repeatedly attempt to connect to
       murmur/mumble-server with an invalid server password or certificate.
     - haproxy-http-auth - filter to match failed HTTP Authentications against a
       HAProxy server
   * New jails:
     - murmur - bans TCP and UDP from the bad host on the default murmur port.
   * sshd filter got new failregex to match "maximum authentication
--- a/config/filter.d/haproxy-http-auth.conf
+++ b/config/filter.d/haproxy-http-auth.conf
@ -0,0 +1,37 @@
 # Fail2Ban filter configuration file to match failed login attempts to
 # HAProxy HTTP Authentication protected servers.
 #
 # PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server
 # which prompts their browser to ask for login details.
 # This initial 401 is logged by HAProxy.
 # In other words, even successful logins will have at least 1 fail regex match.
 # Please keep this in mind when setting findtime and maxretry for jails.
 #
 # Author: Jordan Moeser
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = haproxy
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)s<HOST>.*<NOSRV> -1/-1/-1/-1/\+*\d* 401
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
--- a/config/jail.conf
+++ b/config/jail.conf
@ -832,3 +832,10 @@ logpath  = /var/log/mumble-server/mumble-server.log
 # For Mac OS Screen Sharing Service (VNC)
 logpath  = /var/log/system.log
 logencoding = utf-8
 [haproxy-http-auth]
 # HAProxy by default doesn't log to file you'll need to set it up to forward
 # logs to a syslog server which would then write them to disk.
 # See "haproxy-http-auth" filter for a brief cautionary note when setting
 # maxretry and findtime.
 logpath  = /var/log/haproxy.log
--- a/fail2ban/tests/files/logs/haproxy-http-auth
+++ b/fail2ban/tests/files/logs/haproxy-http-auth
@ -0,0 +1,4 @@
 # failJSON: { "match": false }
 Nov 14 22:45:27 test haproxy[760]: 192.168.33.1:58444 [14/Nov/2015:22:45:25.439] main app/app1 1939/0/1/0/1940 403 5168 - - ---- 3/3/0/0/0 0/0 "GET / HTTP/1.1"
 # failJSON: { "time": "2004-11-14T22:45:11", "match": true , "host": "192.168.33.1" }
 Nov 14 22:45:11 test haproxy[760]: 192.168.33.1:58430 [14/Nov/2015:22:45:11.608] main main/<NOSRV> -1/-1/-1/-1/0 401 248 - - PR-- 0/0/0/0/0 0/0 "GET / HTTP/1.1"