From ec873e2dc38af51d7da41d65fb28a1daf707b557 Mon Sep 17 00:00:00 2001
From: benrubson <6764151+benrubson@users.noreply.github.com>
Date: Thu, 5 Nov 2020 23:56:30 +0100
Subject: [PATCH 1/7] Add SoftEtherVPN jail

---
 ChangeLog                              | 1 +
 config/filter.d/softethervpn.conf      | 9 +++++++++
 config/jail.conf                       | 5 +++++
 fail2ban/tests/files/logs/softethervpn | 7 +++++++
 4 files changed, 22 insertions(+)
 create mode 100644 config/filter.d/softethervpn.conf
 create mode 100644 fail2ban/tests/files/logs/softethervpn

diff --git a/ChangeLog b/ChangeLog
index c3e2c6d4..d1aa66c5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -71,6 +71,7 @@ ver. 0.10.6-dev (20??/??/??) - development edition
 * parsing of action in jail-configs considers space between action-names as separator also
   (previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b`
 * new filter and jail for GitLab recognizing failed application logins (gh-2689)
+* new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723)
 * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured (gh-2631)
 * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
 * datetemplate: improved anchor detection for capturing groups `(^...)`;
diff --git a/config/filter.d/softethervpn.conf b/config/filter.d/softethervpn.conf
new file mode 100644
index 00000000..0cbf5c94
--- /dev/null
+++ b/config/filter.d/softethervpn.conf
@@ -0,0 +1,9 @@
+# Fail2Ban filter for SoftEtherVPN
+# Detecting unauthorized access to SoftEtherVPN
+# typically logged in /usr/local/vpnserver/security_log/*/sec.log, or in syslog, depending on configuration
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = ^%(__prefix_line)s(?:\([0-9 :.-]{23}\) <SECURITY_LOG>:)? Connection ".+": User authentication failed. The user name that has been provided was "<F-USER>.+</F-USER>", from <HOST>.$
diff --git a/config/jail.conf b/config/jail.conf
index 8fbd23a1..67f39e40 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -820,6 +820,11 @@ udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010
 action_  = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]
            %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]
 
+[softethervpn]
+port     = 500,4500
+protocol = udp
+logpath  = /usr/local/vpnserver/security_log/*/sec.log
+
 [gitlab]
 port    = http,https
 logpath = /var/log/gitlab/gitlab-rails/application.log
diff --git a/fail2ban/tests/files/logs/softethervpn b/fail2ban/tests/files/logs/softethervpn
new file mode 100644
index 00000000..dd2a798b
--- /dev/null
+++ b/fail2ban/tests/files/logs/softethervpn
@@ -0,0 +1,7 @@
+# Access of unauthorized host in /usr/local/vpnserver/security_log/*/sec.log
+# failJSON: { "time": "2020-05-12T10:53:19", "match": true , "host": "80.10.11.12" }
+2020-05-12 10:53:19.781 Connection "CID-72": User authentication failed. The user name that has been provided was "bob", from 80.10.11.12.
+
+# Access of unauthorized host in syslog
+# failJSON: { "time": "2020-05-13T10:53:19", "match": true , "host": "80.10.11.13" }
+2020-05-13T10:53:19 localhost  [myserver.com/VPN/defaultvpn] (2020-05-13 10:53:19.591) <SECURITY_LOG>: Connection "CID-594": User authentication failed. The user name that has been provided was "alice", from 80.10.11.13.

From 010e76406fd2aac83b8cf6da27e9d380cc75dad4 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <info@sebres.de>
Date: Mon, 9 Nov 2020 13:19:25 +0100
Subject: [PATCH 2/7] small tweaks (both 2nd time and facility are optional,
 avoid catch-all, etc)

---
 config/filter.d/softethervpn.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/softethervpn.conf b/config/filter.d/softethervpn.conf
index 0cbf5c94..f7e7c0c3 100644
--- a/config/filter.d/softethervpn.conf
+++ b/config/filter.d/softethervpn.conf
@@ -6,4 +6,4 @@
 before = common.conf
 
 [Definition]
-failregex = ^%(__prefix_line)s(?:\([0-9 :.-]{23}\) <SECURITY_LOG>:)? Connection ".+": User authentication failed. The user name that has been provided was "<F-USER>.+</F-USER>", from <HOST>.$
+failregex = ^%(__prefix_line)s(?:(?:\([\d\-]+ [\d:.]+\) )?<SECURITY_LOG>: )?Connection "[^"]+": User authentication failed. The user name that has been provided was "<F-USER>(?:[^"]+|.+)</F-USER>", from <ADDR>\.$

From df659a0cbc68ad7f8233f16edf64ddddec6dd1d7 Mon Sep 17 00:00:00 2001
From: Mart124 <37041094+Mart124@users.noreply.github.com>
Date: Sun, 18 Oct 2020 19:56:30 +0200
Subject: [PATCH 3/7] Add Bitwarden syslog support

---
 ChangeLog                           | 1 +
 config/filter.d/bitwarden.conf      | 8 +++++++-
 fail2ban/tests/files/logs/bitwarden | 3 +++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index d1aa66c5..96c58bb5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -73,6 +73,7 @@ ver. 0.10.6-dev (20??/??/??) - development edition
 * new filter and jail for GitLab recognizing failed application logins (gh-2689)
 * new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723)
 * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured (gh-2631)
+* `filter.d/bitwarden.conf` enhanced to support syslog (gh-2778)
 * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
 * datetemplate: improved anchor detection for capturing groups `(^...)`;
 * datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc)
diff --git a/config/filter.d/bitwarden.conf b/config/filter.d/bitwarden.conf
index 29bd4be8..4a836cbb 100644
--- a/config/filter.d/bitwarden.conf
+++ b/config/filter.d/bitwarden.conf
@@ -2,5 +2,11 @@
 # Detecting failed login attempts
 # Logged in bwdata/logs/identity/Identity/log.txt
 
+[INCLUDES]
+before = common.conf
+
 [Definition]
-failregex = ^\s*\[WRN\]\s+Failed login attempt(?:, 2FA invalid)?\. <HOST>$
+failregex = ^%(__prefix_line)s\s*\[[^\s]+\]\s+Failed login attempt(?:, 2FA invalid)?\. <HOST>$
+
+# DEV Notes:
+# __prefix_line can result to an empty string, so it can support syslog and non-syslog at once.
diff --git a/fail2ban/tests/files/logs/bitwarden b/fail2ban/tests/files/logs/bitwarden
index 3642b3bf..9deb2c07 100644
--- a/fail2ban/tests/files/logs/bitwarden
+++ b/fail2ban/tests/files/logs/bitwarden
@@ -3,3 +3,6 @@
 
 # failJSON: { "time": "2019-11-25T21:39:58", "match": true , "host": "192.168.0.21" }
 2019-11-25 21:39:58.464 +01:00 [WRN] Failed login attempt, 2FA invalid. 192.168.0.21
+
+# failJSON: { "time": "2019-09-24T13:16:50", "match": true , "host": "192.168.0.23" }
+2019-09-24T13:16:50 e5a81dbf7fd1 Bitwarden-Identity[1]: [Bit.Core.IdentityServer.ResourceOwnerPasswordValidator] Failed login attempt. 192.168.0.23

From 2a18b82f5f92ca50b63dcb01b6f4231cd4220f9f Mon Sep 17 00:00:00 2001
From: Mart124 <37041094+Mart124@users.noreply.github.com>
Date: Tue, 20 Oct 2020 18:18:03 +0200
Subject: [PATCH 4/7] Support alternative Bitwarden log format

---
 fail2ban/tests/files/logs/bitwarden | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fail2ban/tests/files/logs/bitwarden b/fail2ban/tests/files/logs/bitwarden
index 9deb2c07..27a22854 100644
--- a/fail2ban/tests/files/logs/bitwarden
+++ b/fail2ban/tests/files/logs/bitwarden
@@ -2,7 +2,7 @@
 2019-11-26 01:04:49.008 +08:00 [WRN] Failed login attempt. 192.168.0.16
 
 # failJSON: { "time": "2019-11-25T21:39:58", "match": true , "host": "192.168.0.21" }
-2019-11-25 21:39:58.464 +01:00 [WRN] Failed login attempt, 2FA invalid. 192.168.0.21
+2019-11-25 21:39:58.464 +01:00 [Warning] Failed login attempt, 2FA invalid. 192.168.0.21
 
 # failJSON: { "time": "2019-09-24T13:16:50", "match": true , "host": "192.168.0.23" }
 2019-09-24T13:16:50 e5a81dbf7fd1 Bitwarden-Identity[1]: [Bit.Core.IdentityServer.ResourceOwnerPasswordValidator] Failed login attempt. 192.168.0.23

From 25e006e137172c96c25864f8050b191efaaba3d8 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Mon, 9 Nov 2020 13:43:59 +0100
Subject: [PATCH 5/7] review and small tweaks (more precise and safe RE)

---
 config/filter.d/bitwarden.conf      | 3 ++-
 fail2ban/tests/files/logs/bitwarden | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/bitwarden.conf b/config/filter.d/bitwarden.conf
index 4a836cbb..b0651c8e 100644
--- a/config/filter.d/bitwarden.conf
+++ b/config/filter.d/bitwarden.conf
@@ -6,7 +6,8 @@
 before = common.conf
 
 [Definition]
-failregex = ^%(__prefix_line)s\s*\[[^\s]+\]\s+Failed login attempt(?:, 2FA invalid)?\. <HOST>$
+_daemon = Bitwarden-Identity
+failregex = ^%(__prefix_line)s\s*\[(?:W(?:RN|arning)|Bit\.Core\.[^\]]+)\]\s+Failed login attempt(?:, 2FA invalid)?\. <ADDR>$
 
 # DEV Notes:
 # __prefix_line can result to an empty string, so it can support syslog and non-syslog at once.
diff --git a/fail2ban/tests/files/logs/bitwarden b/fail2ban/tests/files/logs/bitwarden
index 27a22854..0fede6c6 100644
--- a/fail2ban/tests/files/logs/bitwarden
+++ b/fail2ban/tests/files/logs/bitwarden
@@ -1,6 +1,9 @@
 # failJSON: { "time": "2019-11-25T18:04:49", "match": true , "host": "192.168.0.16" }
 2019-11-26 01:04:49.008 +08:00 [WRN] Failed login attempt. 192.168.0.16
 
+# failJSON: { "time": "2019-11-25T21:39:58", "match": true , "host": "192.168.0.21" }
+2019-11-25 21:39:58.464 +01:00 [WRN] Failed login attempt, 2FA invalid. 192.168.0.21
+
 # failJSON: { "time": "2019-11-25T21:39:58", "match": true , "host": "192.168.0.21" }
 2019-11-25 21:39:58.464 +01:00 [Warning] Failed login attempt, 2FA invalid. 192.168.0.21
 

From 840f0ff10a5edb14afaba8b2c13bc18d2514715d Mon Sep 17 00:00:00 2001
From: benrubson <6764151+benrubson@users.noreply.github.com>
Date: Mon, 9 Nov 2020 15:31:06 +0100
Subject: [PATCH 6/7] Add Grafana jail

---
 ChangeLog                         | 1 +
 config/filter.d/grafana.conf      | 9 +++++++++
 config/jail.conf                  | 4 ++++
 fail2ban/tests/files/logs/grafana | 5 +++++
 4 files changed, 19 insertions(+)
 create mode 100644 config/filter.d/grafana.conf
 create mode 100644 fail2ban/tests/files/logs/grafana

diff --git a/ChangeLog b/ChangeLog
index 96c58bb5..51ba4f90 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -71,6 +71,7 @@ ver. 0.10.6-dev (20??/??/??) - development edition
 * parsing of action in jail-configs considers space between action-names as separator also
   (previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b`
 * new filter and jail for GitLab recognizing failed application logins (gh-2689)
+* new filter and jail for Grafana recognizing failed application logins (gh-2855)
 * new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723)
 * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured (gh-2631)
 * `filter.d/bitwarden.conf` enhanced to support syslog (gh-2778)
diff --git a/config/filter.d/grafana.conf b/config/filter.d/grafana.conf
new file mode 100644
index 00000000..78ded075
--- /dev/null
+++ b/config/filter.d/grafana.conf
@@ -0,0 +1,9 @@
+# Fail2Ban filter for Grafana
+# Detecting unauthorized access
+# Typically logged in /var/log/grafana/grafana.log
+
+[Init]
+datepattern = ^t=%%Y-%%m-%%dT%%H:%%M:%%S%%z
+
+[Definition]
+failregex = ^.*msg="Invalid username or password".* remote_addr=<ADDR>$
diff --git a/config/jail.conf b/config/jail.conf
index 5ca67749..ddbcf61e 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -828,6 +828,10 @@ logpath  = /usr/local/vpnserver/security_log/*/sec.log
 port    = http,https
 logpath = /var/log/gitlab/gitlab-rails/application.log
 
+[grafana]
+port    = http,https
+logpath = /var/log/grafana/grafana.log
+
 [bitwarden]
 port    = http,https
 logpath = /home/*/bwdata/logs/identity/Identity/log.txt
diff --git a/fail2ban/tests/files/logs/grafana b/fail2ban/tests/files/logs/grafana
new file mode 100644
index 00000000..aac86ebc
--- /dev/null
+++ b/fail2ban/tests/files/logs/grafana
@@ -0,0 +1,5 @@
+# Access of unauthorized host in /var/log/grafana/grafana.log
+# failJSON: { "time": "2020-10-19T17:44:33", "match": true , "host": "182.56.23.12" }
+t=2020-10-19T17:44:33+0200 lvl=eror msg="Invalid username or password" logger=context userId=0 orgId=0 uname= error="Invalid Username or Password" remote_addr=182.56.23.12
+# failJSON: { "time": "2020-10-19T18:44:33", "match": true , "host": "182.56.23.13" }
+t=2020-10-19T18:44:33+0200 lvl=eror msg="Invalid username or password" logger=context userId=0 orgId=0 uname= error="User not found" remote_addr=182.56.23.13

From 1c1a9b868c6c7677c929ede5e8c1cb8f16d3be41 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <info@sebres.de>
Date: Mon, 9 Nov 2020 15:36:30 +0100
Subject: [PATCH 7/7] no catch-alls, user name and error message stored in
 ticket

---
 config/filter.d/grafana.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/grafana.conf b/config/filter.d/grafana.conf
index 78ded075..e7f0f420 100644
--- a/config/filter.d/grafana.conf
+++ b/config/filter.d/grafana.conf
@@ -6,4 +6,4 @@
 datepattern = ^t=%%Y-%%m-%%dT%%H:%%M:%%S%%z
 
 [Definition]
-failregex = ^.*msg="Invalid username or password".* remote_addr=<ADDR>$
+failregex = ^(?: lvl=err?or)? msg="Invalid username or password"(?: uname=(?:"<F-ALT_USER>[^"]+</F-ALT_USER>"|<F-USER>\S+</F-USER>)| error="<F-ERROR>[^"]+</F-ERROR>"| \S+=(?:\S*|"[^"]+"))* remote_addr=<ADDR>$