diff --git a/config/filter.d/froxlor-auth.conf b/config/filter.d/froxlor-auth.conf new file mode 100644 index 00000000..04003263 --- /dev/null +++ b/config/filter.d/froxlor-auth.conf @@ -0,0 +1,37 @@ +# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) +# +# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages +# Froxlor: [Login Action ] Unknown user '' tried to login. +# Froxlor: [Login Action ] User '' tried to login with wrong password. +# +# Author: Joern Muehlencord +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = Froxlor + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)s\[Login Action \] Unknown user \S* tried to login.$ + ^%(__prefix_line)s\[Login Action \] User \S* tried to login with wrong password.$ + + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + diff --git a/fail2ban/tests/files/logs/froxlor-auth b/fail2ban/tests/files/logs/froxlor-auth new file mode 100644 index 00000000..ba585c6d --- /dev/null +++ b/fail2ban/tests/files/logs/froxlor-auth @@ -0,0 +1,5 @@ +# failJSON: { "time": "2015-06-21T00:56:27", "match": true , "host": "1.2.3.4" } +May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login. +# failJSON: { "time": "2015-06-21T00:57:38", "match": true , "host": "1.2.3.4" } +May 21 00:57:38 jomu Froxlor: [Login Action 83.87.126.64] User 'admin' tried to login with wrong password. +