From a9401233ddc58e7481a6ce0ae43e182e47215939 Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 24 Sep 2025 16:09:42 +0200 Subject: [PATCH] code review, make it backwards compatible to logging type=1 (as suggested in https://github.com/fail2ban/fail2ban/issues/2926#issuecomment-774780120); use by default type=2 --- config/filter.d/froxlor-auth.conf | 41 +++++++++++--------------- fail2ban/tests/files/logs/froxlor-auth | 9 +++++- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/config/filter.d/froxlor-auth.conf b/config/filter.d/froxlor-auth.conf index 632b12fa..ab85c9cf 100644 --- a/config/filter.d/froxlor-auth.conf +++ b/config/filter.d/froxlor-auth.conf @@ -1,13 +1,15 @@ # Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) # # Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages -# froxlor[1-6]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":""} [] -# froxlor[1-6]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":""} [] +# - for type=2 +# froxlor[1-6]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":""} [] +# froxlor[1-6]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":""} [] +# - for type=1: +# Froxlor: [Login Action ] Unknown user '' tried to login. +# Froxlor: [Login Action ] User '' tried to login with wrong password. # # Author: Joern Muehlencord -# # Modified: Para-do-x™️ - Andreas Duennwald -# [INCLUDES] @@ -15,25 +17,18 @@ # common.local before = common.conf +[DEFAULT] +_daemon = [Ff]roxlor + +[type1] +prefregex = ^%(__prefix_line)s\[Login Action \] .+$ + +[type2] +prefregex = ^%(__prefix_line)sfroxlor\.WARNING: .+ \{(?:"[^"]+":"[^"]*",\s*){,5}"user":""\} \[\]$ [Definition] - -_daemon = froxlor - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# - -prefregex = -failregex = ^%(__prefix_line)s\S* froxlor\[\S+\]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":""\S* \[\] - ^%(__prefix_line)s\S* froxlor\[\S+\]: froxlor.WARNING: User tried to login with wrong password. \{"source":"login","action":"50","user":""\S* \[\] - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# +type = 2 +prefregex = /prefregex> +failregex = ^Unknown user(?: \S*)? tried to login\.$ + ^User(?: \S*)? tried to login with wrong password\.$ ignoreregex = diff --git a/fail2ban/tests/files/logs/froxlor-auth b/fail2ban/tests/files/logs/froxlor-auth index 0f61da88..067bf2e0 100644 --- a/fail2ban/tests/files/logs/froxlor-auth +++ b/fail2ban/tests/files/logs/froxlor-auth @@ -1,4 +1,11 @@ +# filterOptions: [{"type": "1"}] +# failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" } +May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login. +# failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" } +May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password. + +# filterOptions: [{}, {"type": "2"}] # failJSON: { "time": "2025-09-21T17:46:18", "match": true , "host": "1.2.3.4" } 2025-09-21T17:46:18.311379+02:00 hostname froxlor[1055219]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":"1.2.3.4"} [] -# failJSON: { "time": "2005-05-21T16:30:13", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2025-09-21T16:30:13", "match": true , "host": "1.2.3.4" } 2025-09-21T16:30:13.118232+02:00 hostname froxlor[1054438]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":"1.2.3.4"} []