Merge 9c83a7121c into dc899e438f

config/filter.d/nextcloud-auth.conf

@@ -0,0 +1,14 @@
+# Fail2Ban filter file for Nextcloud login failures
+#
+# Author: Sergey G. Brester (sebres)
+# Notice: Is also triggered by problems with the authentication provider,
+#         see https://github.com/fail2ban/fail2ban/pull/3581#issuecomment-1924903039
+#
+
+[INCLUDES]
+
+before = nextcloud-common.conf
+
+[Definition]
+
+failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:

config/filter.d/nextcloud-common.conf

@@ -0,0 +1,28 @@
+# Fail2Ban common filter file for Nextcloud
+#
+# Author: Sergey G. Brester (sebres)
+#
+
+[INCLUDES]
+# Read common prefixes
+before = common.conf
+
+[DEFAULT]
+logging = all
+
+# logging prefixes
+#   all - universal prefix (logfile, syslog)
+#   logfile - logfile only
+#   syslog - syslog only
+# Use `filter = nextcloud-auth[logging=logfile]` to get more precise regex if nextcloud logs into logfile.
+# Use `filter = nextcloud-auth[logging=syslog]` to get more precise regex if nextcloud logs into syslog.
+nextcloud-prefix-logfile =
+nextcloud-prefix-syslog = %(__prefix_line)s
+nextcloud-prefix-all = (?:%(nextcloud-prefix-syslog)s|%(nextcloud-prefix-logfile)s)
+
+nextcloud-prefix = <nextcloud-prefix-<logging>>
+
+# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud
+_groupsre = (?:(?:,?\s*"\w+":(?:"(?:[^"\\]|\\.)*"|\w+))*)
+
+datepattern = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

config/filter.d/nextcloud-domain.conf

@@ -0,0 +1,13 @@
+# Fail2Ban filter file for Nextcloud trusted domain errors
+#
+# Author: Sergey G. Brester (sebres) and eibex
+# Notice: Nextcloud log level has to be configured to include infos
+#
+
+[INCLUDES]
+
+before = nextcloud-common.conf
+
+[Definition]
+
+failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.

config/jail.conf

@@ -892,6 +892,15 @@ logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
 backend  = %(syslog_backend)s
 maxretry = 1
 
+[nextcloud-auth]
+# logpath depends on the installation
+port     = http,https
+protocol = tcp
+
+[nextcloud-domain]
+# logpath depends on the installation
+port     = http,https
+protocol = tcp
 
 [oracleims]
 # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above

fail2ban/tests/files/logs/nextcloud-auth

@@ -0,0 +1,14 @@
+# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" }
+{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
+# moved time to a different location which has not been observed in logs but should be matched successfully
+# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" }
+{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T20:34:37+00:00","version":"27.1.0.7","data":[]}
+# failJSON: { "time": "2023-09-24T22:58:33.0", "match": true , "host": "141.30.226.119" }
+{"reqId":"FjzPcU7QINXYX3HhwOkO","level":2,"time":"2023-09-24T20:58:33+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: \"remoteAddr\":\"127.0.0.1\" (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
+# failJSON: { "time": "2023-09-24T23:00:01.0", "match": true , "host": "141.30.226.119" }
+{"reqId":"esevuyJw30I5QzJD46Yc","level":2,"time":"2023-09-24T21:00:01+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: Injection (Remote IP: 127.0.0.1) (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
+# failJSON: { "time": "2023-09-24T23:05:16.0", "match": true , "host": "141.30.226.119" }
+{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
+# hypothetical output based on how quotation marks are quoted
+# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" }
+{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login\"\\","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}

fail2ban/tests/files/logs/nextcloud-domain

@@ -0,0 +1,10 @@
+# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" }
+{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}}
+# moved time to a different location which has not been observed in logs but should be matched successfully
+# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" }
+{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T21:36:46+00:00","version":"27.1.0.7","data":{"app":"core"}}
+# failJSON: { "time": "2023-09-24T23:48:47.0", "match": true , "host": "141.30.226.119" }
+{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}}
+# hypothetical output based on how quotation marks are quoted
+# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" }
+{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/login\"\\","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}}