From db9baf37350f10cb1e279a321c3a95f37835b472 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 20 Nov 2016 17:33:37 -0800 Subject: [PATCH] squid-filter: recognize 407 responses in failregex 407 is the HTTP status code for Proxy Authentication Required, and in Squid such denied requests are results of proxy authentication failures. --- ChangeLog | 2 ++ config/filter.d/squid.conf | 4 ++-- fail2ban/tests/files/logs/squid | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ca7864fc..bd5faa9b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,8 @@ releases. - optimized failregex to match all of "Failed any-method for ... from " (gh-1479) - eliminated possible complex injections (on user-name resp. auth-info, see gh-1479) - optional port part after host (see gh-1533, gh-1581) +* `filter.d/squid.conf` + - Recognize 407 Proxy Authentication Required as failures (gh-1615) ### New Features diff --git a/config/filter.d/squid.conf b/config/filter.d/squid.conf index e26cab9c..aa51207b 100644 --- a/config/filter.d/squid.conf +++ b/config/filter.d/squid.conf @@ -1,10 +1,10 @@ -# Fail2Ban filter for Squid attempted proxy bypasses +# Fail2Ban filter for Squid attempted proxy bypasses and bruteforcing # # [Definition] -failregex = ^\s+\d\s\s+[A-Z_]+_DENIED/403 .*$ +failregex = ^\s+\d\s\s+[A-Z_]+_DENIED/40[37] .*$ ^\s+\d\s\s+NONE/405 .*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/squid b/fail2ban/tests/files/logs/squid index 300a8ac5..62ca326c 100644 --- a/fail2ban/tests/files/logs/squid +++ b/fail2ban/tests/files/logs/squid @@ -11,3 +11,6 @@ # failJSON: { "time": "2013-12-09T00:09:06.000", "match": true , "host": "175.42.91.151" } 1386544146.000 1 175.42.91.151 TCP_DENIED/403 3745 GET http://pkfsp.ru/wp-content/uploads/proxyc/engine.php - HIER_NONE/- text/html + +# failJSON: { "time": "2016-11-21T01:12:54.000", "match": true, "host": "98.189.78.228" } +1479687174.000 1 98.189.78.228 TCP_DENIED/407 4259 CONNECT www.google.com:443 tgu1 HIER_NONE/- text/html