mirror of https://github.com/fail2ban/fail2ban
ENH/DOC: more realm mismatch errors. Documented filter design criteria
parent
bf54db7ce7
commit
975999591f
|
@ -12,27 +12,37 @@ before = apache-common.conf
|
|||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failure messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
|
||||
# http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_basic.c (1st 3)
|
||||
# http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_core.c (2nd 3)
|
||||
# http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_digest.c (next 4)
|
||||
# This filter matches the authorization failures of Apache. It takes the log messages
|
||||
# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
|
||||
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
|
||||
#
|
||||
# As an unauthorized response is the first step for a browser to instigate authentication
|
||||
# so don't set max retry too low.
|
||||
#
|
||||
# Source:
|
||||
#
|
||||
# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
|
||||
# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
|
||||
# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
|
||||
# to return the actual failure.
|
||||
|
||||
failregex = ^%(_apache_error_client)s user .* authentication failure for "\S*": Password Mismatch$
|
||||
^%(_apache_error_client)s user .* not found: \S*\s*$
|
||||
^%(_apache_error_client)s client used wrong authentication scheme: \S*\s*$
|
||||
^%(_apache_error_client)s authorization failure \(no authenticated user\): \S*\s*$
|
||||
^%(_apache_error_client)s client denied by server configuration: (uri )?\S*\s*$
|
||||
^%(_apache_error_client)s user .* authorization failure for "\S*": \S*\s*$
|
||||
^%(_apache_error_client)s user .* authorization failure: \S*\s*$
|
||||
^%(_apache_error_client)s user .* authorization failure for "\S*": \s*$
|
||||
^%(_apache_error_client)s invalid nonce .* received - (length|hash) is not \S+\s*$
|
||||
^%(_apache_error_client)s invalid nonce .* received - user attempted time travel\s*$
|
||||
^%(_apache_error_client)s user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
|
||||
^%(_apache_error_client)s user .*: one-time-nonce mismatch - sending new nonce\s*$
|
||||
^%(_apache_error_client)s realm mismatch - got `.*' but expected `.+'\s*$
|
||||
^%(_apache_error_client)s unknown algorithm `\S+' received: \S*\s*"$
|
||||
^%(_apache_error_client)s user `.*' in realm `.+' (not found|denied by provider): \S*\s*"$
|
||||
^%(_apache_error_client)s user .* password mismatch: \S*\s*"$
|
||||
^%(_apache_error_client)s invalid qop `.*' received: \S*\s*"$
|
||||
|
||||
|
||||
|
||||
# Option: ignoreregex
|
||||
|
|
Loading…
Reference in New Issue