diff --git a/ChangeLog b/ChangeLog index 1d9c96a2..d389ea0c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,7 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition ### New Features * new failregex-flag tag `` for failregex, signaled that the access to service was gained (ATM used similar to tag ``, but it does not add the log-line to matches, gh-2279) +* `filter.d/traefik-auth.conf`: used to ban hosts, that were failed through traefik ### Enhancements * jail-reader extended (amend to gh-1622): actions support multi-line options now (interpolations diff --git a/config/filter.d/traefik-auth.conf b/config/filter.d/traefik-auth.conf new file mode 100644 index 00000000..8321a138 --- /dev/null +++ b/config/filter.d/traefik-auth.conf @@ -0,0 +1,56 @@ +# Fail2ban filter configuration for traefik :: auth +# used to ban hosts, that were failed through traefik +# +# Author: CrazyMax +# +# To use 'traefik-auth' filter you have to configure your Traefik instance to write +# the access logs as describe in https://docs.traefik.io/configuration/logs/#access-logs +# into a log file on host and specifiy users for Basic Authentication +# https://docs.traefik.io/configuration/entrypoints/#basic-authentication +# +# Example: +# +# version: "3.2" +# +# services: +# traefik: +# image: traefik:latest +# command: +# - "--loglevel=INFO" +# - "--accesslog=true" +# - "--accessLog.filePath=/var/log/access.log" +# # - "--accessLog.filters.statusCodes=400-499" +# - "--defaultentrypoints=http,https" +# - "--entryPoints=Name:http Address::80" +# - "--entryPoints=Name:https Address::443 TLS" +# - "--docker.domain=example.com" +# - "--docker.watch=true" +# - "--docker.exposedbydefault=false" +# - "--api=true" +# - "--api.dashboard=true" +# ports: +# - target: 80 +# published: 80 +# protocol: tcp +# mode: host +# - target: 443 +# published: 443 +# protocol: tcp +# mode: host +# labels: +# - "traefik.enable=true" +# - "traefik.port=8080" +# - "traefik.backend=traefik" +# - "traefik.frontend.rule=Host:traefik.example.com" +# - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/" +# volumes: +# - "/var/log/traefik:/var/log" +# - "/var/run/docker.sock:/var/run/docker.sock" +# restart: always +# + +[Definition] + +failregex = ^ \- (?!- )\S+ \[\] \"(GET|POST|HEAD) [^\"]+\" 401\b + +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index daebf48b..e61731c6 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -888,3 +888,8 @@ backend = %(syslog_backend)s port = http,https logpath = %(apache_error_log)s +[traefik-auth] +# to use 'traefik-auth' filter you have to configure your Traefik instance, +# see `filter.d/traefik-auth.conf` for details and service example. +port = http,https +logpath = /var/log/traefik/access.log diff --git a/fail2ban/tests/files/logs/traefik-auth b/fail2ban/tests/files/logs/traefik-auth new file mode 100644 index 00000000..3e7a8987 --- /dev/null +++ b/fail2ban/tests/files/logs/traefik-auth @@ -0,0 +1,6 @@ +# failJSON: { "match": false } +10.0.0.2 - - [18/Nov/2018:21:34:30 +0000] "GET /dashboard/ HTTP/2.0" 401 17 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0" 72 "Auth for frontend-Host-traefik-0" "/dashboard/" 0ms +# failJSON: { "time": "2018-11-18T22:34:34", "match": true , "host": "10.0.0.2" } +10.0.0.2 - username [18/Nov/2018:21:34:34 +0000] "GET /dashboard/ HTTP/2.0" 401 17 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0" 72 "Auth for frontend-Host-traefik-0" "/dashboard/" 0ms +# failJSON: { "match": false } +10.0.0.2 - username [27/Nov/2018:23:33:31 +0000] "GET /dashboard/ HTTP/2.0" 200 716 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0" 118 "Host-traefik-0" "/dashboard/" 4ms