diff --git a/config/filter.d/groupoffice-lost-password.conf b/config/filter.d/groupoffice-lost-password.conf new file mode 100644 index 00000000..bd28b158 --- /dev/null +++ b/config/filter.d/groupoffice-lost-password.conf @@ -0,0 +1,7 @@ +# Fail2Ban filter for Group-Office lost password requests +# logpath must be the webserver error log + +[Definition] + +failregex = Lost password request from IP: '' +ignoreregex = diff --git a/config/filter.d/groupoffice.conf b/config/filter.d/groupoffice.conf index 166c5fea..756a8e26 100644 --- a/config/filter.d/groupoffice.conf +++ b/config/filter.d/groupoffice.conf @@ -1,14 +1,7 @@ -# Fail2Ban filter for Group-Office -# -# Enable logging with: -# $config['info_log']='/home/groupoffice/log/info.log'; -# +# Fail2Ban filter for Group-Office authentication failures +# logpath must be the webserver error log [Definition] -failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: $ - +failregex = Password authentication failed for '\S+' from IP: '' ignoreregex = - -# Author: Daniel Black - diff --git a/config/jail.conf b/config/jail.conf index 5d75f4f5..023f8285 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -450,7 +450,13 @@ logpath = /var/log/horde/horde.log [groupoffice] port = http,https -logpath = /home/groupoffice/log/info.log +logpath = /var/log/apache2/error.log + +[groupoffice-lost-password] + +port = http,https +logpath = /var/log/apache2/error.log +maxretry = 100 [sogo-auth] diff --git a/fail2ban/tests/files/logs/groupoffice b/fail2ban/tests/files/logs/groupoffice index 7809f018..2a16a7a5 100644 --- a/fail2ban/tests/files/logs/groupoffice +++ b/fail2ban/tests/files/logs/groupoffice @@ -1,4 +1,4 @@ -# failJSON: { "time": "2014-01-06T10:59:38", "match": true, "host": "127.0.0.1" } -[2014-01-06 10:59:38]LOGIN FAILED for user: "asdsad" from IP: 127.0.0.1 -# failJSON: { "time": "2014-01-06T10:59:49", "match": false, "host": "127.0.0.1" } -[2014-01-06 10:59:49]LOGIN SUCCESS for user: "admin" from IP: 127.0.0.1 +# failJSON: { "time": "2024-03-26T07:59:08", "match": true, "host": "192.168.65.1" } +localhost [Tue Mar 26 07:59:08 2024] [notice] [pid 1662] [client 192.168.65.1:17672] Password authentication failed for '192.168.100.100' from IP: '192.168.65.1' +# failJSON: { "time": "2024-03-26T08:17:24", "match": false, "host": "192.168.65.1" } +localhost [Tue Mar 26 08:17:24 2024] [notice] [pid 90] [client 192.168.65.1:17733] Lost password request from IP: '192.168.65.1' diff --git a/fail2ban/tests/files/logs/groupoffice-lost-password b/fail2ban/tests/files/logs/groupoffice-lost-password new file mode 100644 index 00000000..78dc73fb --- /dev/null +++ b/fail2ban/tests/files/logs/groupoffice-lost-password @@ -0,0 +1,4 @@ +# failJSON: { "time": "2024-03-26T07:59:08", "match": false, "host": "192.168.65.1" } +localhost [Tue Mar 26 07:59:08 2024] [notice] [pid 1662] [client 192.168.65.1:17672] Password authentication failed for 'johndoe' from IP: '192.168.65.1' +# failJSON: { "time": "2024-03-26T08:17:24", "match": true, "host": "192.168.65.1" } +localhost [Tue Mar 26 08:17:24 2024] [notice] [pid 90] [client 192.168.65.1:17733] Lost password request from IP: '192.168.65.1'