github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

code review, make it backwards compatible to logging type=1 (as suggested in https://github.com/fail2ban/fail2ban/issues/2926#issuecomment-774780120); use by default type=2

pull/4075/head
sebres 2025-09-24 16:09:42 +02:00
parent 1379a262f6
commit a9401233dd
2 changed files with 26 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
config/filter.d/froxlor-auth.conf
View File

@ -1,13 +1,15 @@
# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s)
#
# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages
# <syslog prefix> froxlor[1-6]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":"<ADDR>"} []
# <syslog prefix> froxlor[1-6]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":"<ADDR>"} []
# - for type=2
# <syslog prefix> froxlor[1-6]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":"<ADDR>"} []
# <syslog prefix> froxlor[1-6]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":"<ADDR>"} []
# - for type=1:
# <syslog prefix> Froxlor: [Login Action <ADDR>] Unknown user '<USER>' tried to login.
# <syslog prefix> Froxlor: [Login Action <ADDR>] User '<USER>' tried to login with wrong password.
#
# Author: Joern Muehlencord
#
# Modified: Para-do-x™ - Andreas Duennwald
#
[INCLUDES]
@ -15,25 +17,18 @@
# common.local
before = common.conf
[DEFAULT]
_daemon = [Ff]roxlor
[type1]
prefregex = ^%(__prefix_line)s\[Login Action <HOST>\] <F-CONTENT>.+</F-CONTENT>$
[type2]
prefregex = ^%(__prefix_line)sfroxlor\.WARNING: <F-CONTENT>.+</F-CONTENT> \{(?:"[^"]+":"[^"]*",\s*){,5}"user":"<ADDR>"\} \[\]$
[Definition]
_daemon = froxlor
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
prefregex =
failregex = ^%(__prefix_line)s\S* froxlor\[\S+\]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":"<ADDR>"\S* \[\]
^%(__prefix_line)s\S* froxlor\[\S+\]: froxlor.WARNING: User tried to login with wrong password. \{"source":"login","action":"50","user":"<ADDR>"\S* \[\]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
type = 2
prefregex = <type<type>/prefregex>
failregex = ^Unknown user(?: <F-USER>\S*</F-USER>)? tried to login\.$
^User(?: <F-USER>\S*</F-USER>)? tried to login with wrong password\.$
ignoreregex =

9
fail2ban/tests/files/logs/froxlor-auth
View File

@ -1,4 +1,11 @@
# filterOptions: [{"type": "1"}]
# failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" }
May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login.
# failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" }
May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password.
# filterOptions: [{}, {"type": "2"}]
# failJSON: { "time": "2025-09-21T17:46:18", "match": true , "host": "1.2.3.4" }
2025-09-21T17:46:18.311379+02:00 hostname froxlor[1055219]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":"1.2.3.4"} []
# failJSON: { "time": "2005-05-21T16:30:13", "match": true , "host": "1.2.3.4" }
# failJSON: { "time": "2025-09-21T16:30:13", "match": true , "host": "1.2.3.4" }
2025-09-21T16:30:13.118232+02:00 hostname froxlor[1054438]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":"1.2.3.4"} []