From 6a1bbbf1013da4d0d03eb2b282f44f6b0ed8fad2 Mon Sep 17 00:00:00 2001 From: riceru <35490247+riceru@users.noreply.github.com> Date: Tue, 16 Jan 2018 12:39:55 +0000 Subject: [PATCH 1/3] Update lighttpd-auth.conf I have lighttpd 1.4.45 (Debian 9) and auth error log is different. Now printing mod_auth and not http_auth. I think that the change was in Lighttp 1.4.42 --- config/filter.d/lighttpd-auth.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/lighttpd-auth.conf b/config/filter.d/lighttpd-auth.conf index 3bd01f29..11f6d0bb 100644 --- a/config/filter.d/lighttpd-auth.conf +++ b/config/filter.d/lighttpd-auth.conf @@ -3,7 +3,7 @@ [Definition] -failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ +failregex = ^: \((http|mod)_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ ignoreregex = From 9a46590486f8f9fe4f14f785ddbdd448c2bb7a24 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Tue, 16 Jan 2018 14:20:51 +0100 Subject: [PATCH 2/3] extended test-cases to cover new log-format (http_auth -> mod_auth) --- fail2ban/tests/files/logs/lighttpd-auth | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fail2ban/tests/files/logs/lighttpd-auth b/fail2ban/tests/files/logs/lighttpd-auth index a373c652..184dba33 100644 --- a/fail2ban/tests/files/logs/lighttpd-auth +++ b/fail2ban/tests/files/logs/lighttpd-auth @@ -5,3 +5,5 @@ 2012-09-26 10:24:35: (http_auth.c.1136) digest: auth failed for xxx : wrong password, IP: 4.4.4.4 # failJSON: { "time": "2013-08-25T00:24:55", "match": true , "host": "4.4.4.4" } 2013-08-25 00:24:55: (http_auth.c.877) get_password failed, IP: 4.4.4.4 +# failJSON: { "time": "2018-01-16T14:10:32", "match": true , "host": "192.0.2.1", "desc": "http_auth -> mod_auth, gh-2018" } +2018-01-16 14:10:32: (mod_auth.c.525) password doesn't match for /test-url username: test, IP: 192.0.2.1 From b6c6565a7ed9229ab14070a9ed83d26655f7f9c0 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Tue, 16 Jan 2018 14:23:47 +0100 Subject: [PATCH 3/3] regex updated using non-capturing groups --- config/filter.d/lighttpd-auth.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/lighttpd-auth.conf b/config/filter.d/lighttpd-auth.conf index 11f6d0bb..a68f4f4d 100644 --- a/config/filter.d/lighttpd-auth.conf +++ b/config/filter.d/lighttpd-auth.conf @@ -3,7 +3,7 @@ [Definition] -failregex = ^: \((http|mod)_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ +failregex = ^: \((?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ ignoreregex =