github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

filter.d/nginx-http-auth.conf: added optional prefix to support systemd-journal format and additional timestamp (optionally) in prefix

pull/3467/merge
sebres 2023-12-10 14:39:21 +01:00
parent 44fa2959e7
commit b245225b13
2 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
config/filter.d/nginx-http-auth.conf
View File

@ -1,12 +1,27 @@
# fail2ban filter configuration for nginx
[DEFAULT]
# Type of log-file resp. log-format (file, short, journal, rfc5424):
logtype = file
[lt_file]
__prefix_line = \s*
[lt_short]
__prefix_line = \s*(?:(?!\[)\S+ nginx\[\d+\]: [^\[]*)?
[lt_journal]
__prefix_line = %(lt_short/__prefix_line)s
[Definition]
mode = normal
mdre-auth = ^\s*\[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
mdre-fallback = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>
__prefix_line = <lt_<logtype>/__prefix_line>
mdre-auth = ^%(__prefix_line)s\[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
mdre-fallback = ^%(__prefix_line)s\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>
mdre-normal = %(mdre-auth)s
mdre-aggressive = %(mdre-auth)s

5
fail2ban/tests/files/logs/nginx-http-auth
View File

@ -13,6 +13,11 @@
# failJSON: { "time": "2014-04-03T22:20:40", "match": true, "host": "192.0.2.2", "desc": "trying injection on user name"}
2014/04/03 22:20:40 [error] 30708#0: *3 user "test": password mismatch, client: 127.0.0.1, server: test, request: "GET / HTTP/1.1", host: "localhost:8443"": was not found in "/etc/nginx/.htpasswd", client: 192.0.2.2, server: , request: "GET / HTTP/1.1", host: "localhost:8443"
# filterOptions: [{"logtype": "journal"}]
# failJSON: { "match": true, "host": "192.0.2.3", "desc": "systemd journal message, with optional extra timestamp, gh-3646"}
host nginx[983478]: 2023/12/09 21:35:20 [error] 983478#983478: *3 user "fakeusername" was not found in "/var/lib/nginx/htpasswd-for-host.example.com", client: 192.0.2.3, server: host.example.com, request: "GET / HTTP/2.0", host: "host.example.com"
# filterOptions: [{"mode": "fallback"}]
# failJSON: { "time": "2020-11-25T14:42:16", "match": true , "host": "142.93.180.14" }