From 91a37b5e49c777150019d86cc9ecd3347aa24bf7 Mon Sep 17 00:00:00 2001 From: Merijn Schering Date: Tue, 26 Mar 2024 09:15:49 +0100 Subject: [PATCH 1/4] Update groupoffice.conf Updated for Group-Office 6.7+ --- config/filter.d/groupoffice.conf | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/config/filter.d/groupoffice.conf b/config/filter.d/groupoffice.conf index 166c5fea..cc1aae8a 100644 --- a/config/filter.d/groupoffice.conf +++ b/config/filter.d/groupoffice.conf @@ -1,14 +1,7 @@ # Fail2Ban filter for Group-Office -# -# Enable logging with: -# $config['info_log']='/home/groupoffice/log/info.log'; -# +# logpath must be the webserver error log [Definition] -failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: $ - +failregex = Password authentication failed for '\S+' from IP: ''$ ignoreregex = - -# Author: Daniel Black - From f3510fe8639d7e10dcfb7bb83ed8e8e42a669a74 Mon Sep 17 00:00:00 2001 From: Merijn Schering Date: Tue, 26 Mar 2024 09:28:49 +0100 Subject: [PATCH 2/4] Updated fail2ban config for Group-Office 6.7+ --- config/filter.d/groupoffice-lost-password.conf | 7 +++++++ config/filter.d/groupoffice.conf | 2 +- config/jail.conf | 8 +++++++- fail2ban/tests/files/logs/groupoffice | 8 ++++---- fail2ban/tests/files/logs/groupoffice-lost-password | 4 ++++ 5 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 config/filter.d/groupoffice-lost-password.conf create mode 100644 fail2ban/tests/files/logs/groupoffice-lost-password diff --git a/config/filter.d/groupoffice-lost-password.conf b/config/filter.d/groupoffice-lost-password.conf new file mode 100644 index 00000000..7a536240 --- /dev/null +++ b/config/filter.d/groupoffice-lost-password.conf @@ -0,0 +1,7 @@ +# Fail2Ban filter for Group-Office lost password requests +# logpath must be the webserver error log + +[Definition] + +failregex = Lost password request from IP: ''$ +ignoreregex = diff --git a/config/filter.d/groupoffice.conf b/config/filter.d/groupoffice.conf index cc1aae8a..b103bb3a 100644 --- a/config/filter.d/groupoffice.conf +++ b/config/filter.d/groupoffice.conf @@ -1,4 +1,4 @@ -# Fail2Ban filter for Group-Office +# Fail2Ban filter for Group-Office authentication failures # logpath must be the webserver error log [Definition] diff --git a/config/jail.conf b/config/jail.conf index 01e1fdf7..135ee60c 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -450,7 +450,13 @@ logpath = /var/log/horde/horde.log [groupoffice] port = http,https -logpath = /home/groupoffice/log/info.log +logpath = /var/log/apache2/error.log + +[groupoffice-lost-password] + +port = http,https +logpath = /var/log/apache2/error.log +maxretry = 100 [sogo-auth] diff --git a/fail2ban/tests/files/logs/groupoffice b/fail2ban/tests/files/logs/groupoffice index 7809f018..2d19f8fd 100644 --- a/fail2ban/tests/files/logs/groupoffice +++ b/fail2ban/tests/files/logs/groupoffice @@ -1,4 +1,4 @@ -# failJSON: { "time": "2014-01-06T10:59:38", "match": true, "host": "127.0.0.1" } -[2014-01-06 10:59:38]LOGIN FAILED for user: "asdsad" from IP: 127.0.0.1 -# failJSON: { "time": "2014-01-06T10:59:49", "match": false, "host": "127.0.0.1" } -[2014-01-06 10:59:49]LOGIN SUCCESS for user: "admin" from IP: 127.0.0.1 +# failJSON: { "time": "2024-03-26T07:59:08", "match": true, "host": "192.168.65.1" } +localhost [Tue Mar 26 07:59:08 2024] [notice] [pid 1662] [client 192.168.65.1:17672] Password authentication failed for 'johndoe' from IP: '192.168.65.1' +# failJSON: { "time": "2024-03-26T08:17:24", "match": false, "host": "192.168.65.1" } +localhost [Tue Mar 26 08:17:24 2024] [notice] [pid 90] [client 192.168.65.1:17733] Lost password request from IP: '192.168.65.1' diff --git a/fail2ban/tests/files/logs/groupoffice-lost-password b/fail2ban/tests/files/logs/groupoffice-lost-password new file mode 100644 index 00000000..78dc73fb --- /dev/null +++ b/fail2ban/tests/files/logs/groupoffice-lost-password @@ -0,0 +1,4 @@ +# failJSON: { "time": "2024-03-26T07:59:08", "match": false, "host": "192.168.65.1" } +localhost [Tue Mar 26 07:59:08 2024] [notice] [pid 1662] [client 192.168.65.1:17672] Password authentication failed for 'johndoe' from IP: '192.168.65.1' +# failJSON: { "time": "2024-03-26T08:17:24", "match": true, "host": "192.168.65.1" } +localhost [Tue Mar 26 08:17:24 2024] [notice] [pid 90] [client 192.168.65.1:17733] Lost password request from IP: '192.168.65.1' From 8e1010b07ac9cca64b4cd13f8667df1e0f3db064 Mon Sep 17 00:00:00 2001 From: Merijn Schering Date: Tue, 26 Mar 2024 09:48:06 +0100 Subject: [PATCH 3/4] try to spoof IP --- fail2ban/tests/files/logs/groupoffice | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/groupoffice b/fail2ban/tests/files/logs/groupoffice index 2d19f8fd..2a16a7a5 100644 --- a/fail2ban/tests/files/logs/groupoffice +++ b/fail2ban/tests/files/logs/groupoffice @@ -1,4 +1,4 @@ # failJSON: { "time": "2024-03-26T07:59:08", "match": true, "host": "192.168.65.1" } -localhost [Tue Mar 26 07:59:08 2024] [notice] [pid 1662] [client 192.168.65.1:17672] Password authentication failed for 'johndoe' from IP: '192.168.65.1' +localhost [Tue Mar 26 07:59:08 2024] [notice] [pid 1662] [client 192.168.65.1:17672] Password authentication failed for '192.168.100.100' from IP: '192.168.65.1' # failJSON: { "time": "2024-03-26T08:17:24", "match": false, "host": "192.168.65.1" } localhost [Tue Mar 26 08:17:24 2024] [notice] [pid 90] [client 192.168.65.1:17733] Lost password request from IP: '192.168.65.1' From 3b3a9676af3fae877284369af8268eaf1f0b4e9b Mon Sep 17 00:00:00 2001 From: Merijn Schering Date: Tue, 26 Mar 2024 10:25:53 +0100 Subject: [PATCH 4/4] Don't match end of line for fcgi --- config/filter.d/groupoffice-lost-password.conf | 2 +- config/filter.d/groupoffice.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/groupoffice-lost-password.conf b/config/filter.d/groupoffice-lost-password.conf index 7a536240..bd28b158 100644 --- a/config/filter.d/groupoffice-lost-password.conf +++ b/config/filter.d/groupoffice-lost-password.conf @@ -3,5 +3,5 @@ [Definition] -failregex = Lost password request from IP: ''$ +failregex = Lost password request from IP: '' ignoreregex = diff --git a/config/filter.d/groupoffice.conf b/config/filter.d/groupoffice.conf index b103bb3a..756a8e26 100644 --- a/config/filter.d/groupoffice.conf +++ b/config/filter.d/groupoffice.conf @@ -3,5 +3,5 @@ [Definition] -failregex = Password authentication failed for '\S+' from IP: ''$ +failregex = Password authentication failed for '\S+' from IP: '' ignoreregex =