Merge pull request #4075 from para-do-x/froxlor-auth

Froxlor auth update
2025-09-24 16:58:27 +02:00 · 2025-09-24 16:58:27 +02:00 · dda4aa7d2d
parent 65668b8ed8 ad9aba5871
commit dda4aa7d2d
4 changed files with 27 additions and 26 deletions
--- a/1
+++ b/1
@ -69,6 +69,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
    several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782)
  - `ddos` and `aggressive` modes: regex extended for timeout before authentication (optional connection from part, gh-3907)
 * `filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal, gh-3954)
+* `filter.d/froxlor-auth.conf` - updated the regex to the new logging situation for froxlor and changed logpath in jail.conf (gh-4075).	

 ### New Features and Enhancements
 * backend `systemd` extended with new parameter `rotated` (default `false`, as prevention against "too many open files"),
--- a/config/filter.d/froxlor-auth.conf
+++ b/config/filter.d/froxlor-auth.conf
@ -1,11 +1,15 @@
 # Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s)
 # 
 # Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages
-# <syslog prefix> Froxlor: [Login Action <HOST>] Unknown user '<USER>' tried to login.
-# <syslog prefix> Froxlor: [Login Action <HOST>] User '<USER>' tried to login with wrong password.
+# - for type=2
+#     <syslog prefix> froxlor[1-6]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":"<ADDR>"} []
+#     <syslog prefix> froxlor[1-6]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":"<ADDR>"} []
+# - for type=1:
+#     <syslog prefix> Froxlor: [Login Action <ADDR>] Unknown user '<USER>' tried to login.
+#     <syslog prefix> Froxlor: [Login Action <ADDR>] User '<USER>' tried to login with wrong password.
 #
 # Author: Joern Muehlencord
-#
+# Modified: Para-do-x™️ - Andreas Duennwald

 [INCLUDES]

@ -13,28 +17,18 @@
 # common.local
 before = common.conf

+[DEFAULT]
+_daemon = [Ff]roxlor
+
+_re = (?:Unknown )?[uU]ser(?: '<F-USER>(?:\S*|[^']*)</F-USER>')? tried to login(?: with wrong password)?\.
+
+[type1]
+failregex = ^%(__prefix_line)s\[Login Action <ADDR>\] %(_re)s$
+
+[type2]
+failregex = ^%(__prefix_line)sfroxlor\.WARNING: %(_re)s \{(?:"[^"]+":"[^"]*",\s*){,5}"user":"<ADDR>"\} \[\]$

 [Definition]
-
-_daemon = Froxlor
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-
-prefregex = ^%(__prefix_line)s\[Login Action <HOST>\] <F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^Unknown user \S* tried to login.$
-            ^User \S* tried to login with wrong password.$
-
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
+type = 2
+failregex = <type<type>/failregex>
 ignoreregex =
-
--- a/config/jail.conf
+++ b/config/jail.conf
@ -501,7 +501,7 @@ backend = %(syslog_backend)s
 [froxlor-auth]

 port    = http,https
-logpath  = %(syslog_authpriv)s
+logpath  = %(syslog_user)s
 backend  = %(syslog_backend)s


--- a/fail2ban/tests/files/logs/froxlor-auth
+++ b/fail2ban/tests/files/logs/froxlor-auth
@ -1,5 +1,11 @@
+# filterOptions: [{"type": "1"}]
 # failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" }
 May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login.
 # failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" }
 May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password.

+# filterOptions: [{}, {"type": "2"}]
+# failJSON: { "time": "2025-09-21T17:46:18", "match": true , "host": "1.2.3.4" }
+2025-09-21T17:46:18.311379+02:00 hostname froxlor[1055219]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":"1.2.3.4"} []
+# failJSON: { "time": "2025-09-21T16:30:13", "match": true , "host": "1.2.3.4" }
+2025-09-21T16:30:13.118232+02:00 hostname froxlor[1054438]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":"1.2.3.4"} []