diff --git a/ChangeLog b/ChangeLog index 7ebf401d..ea25f313 100644 --- a/ChangeLog +++ b/ChangeLog @@ -69,6 +69,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782) - `ddos` and `aggressive` modes: regex extended for timeout before authentication (optional connection from part, gh-3907) * `filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal, gh-3954) +* `filter.d/froxlor-auth.conf` - updated the regex to the new logging situation for froxlor and changed logpath in jail.conf (gh-4075). ### New Features and Enhancements * backend `systemd` extended with new parameter `rotated` (default `false`, as prevention against "too many open files"), diff --git a/config/filter.d/froxlor-auth.conf b/config/filter.d/froxlor-auth.conf index d8f3785c..c6f35e15 100644 --- a/config/filter.d/froxlor-auth.conf +++ b/config/filter.d/froxlor-auth.conf @@ -1,11 +1,15 @@ # Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) # # Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages -# Froxlor: [Login Action ] Unknown user '' tried to login. -# Froxlor: [Login Action ] User '' tried to login with wrong password. +# - for type=2 +# froxlor[1-6]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":""} [] +# froxlor[1-6]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":""} [] +# - for type=1: +# Froxlor: [Login Action ] Unknown user '' tried to login. +# Froxlor: [Login Action ] User '' tried to login with wrong password. # # Author: Joern Muehlencord -# +# Modified: Para-do-x™️ - Andreas Duennwald [INCLUDES] @@ -13,28 +17,18 @@ # common.local before = common.conf +[DEFAULT] +_daemon = [Ff]roxlor + +_re = (?:Unknown )?[uU]ser(?: '(?:\S*|[^']*)')? tried to login(?: with wrong password)?\. + +[type1] +failregex = ^%(__prefix_line)s\[Login Action \] %(_re)s$ + +[type2] +failregex = ^%(__prefix_line)sfroxlor\.WARNING: %(_re)s \{(?:"[^"]+":"[^"]*",\s*){,5}"user":""\} \[\]$ [Definition] - -_daemon = Froxlor - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# - -prefregex = ^%(__prefix_line)s\[Login Action \] .+$ - -failregex = ^Unknown user \S* tried to login.$ - ^User \S* tried to login with wrong password.$ - - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# +type = 2 +failregex = /failregex> ignoreregex = - diff --git a/config/jail.conf b/config/jail.conf index 5d75f4f5..66d6b107 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -501,7 +501,7 @@ backend = %(syslog_backend)s [froxlor-auth] port = http,https -logpath = %(syslog_authpriv)s +logpath = %(syslog_user)s backend = %(syslog_backend)s diff --git a/fail2ban/tests/files/logs/froxlor-auth b/fail2ban/tests/files/logs/froxlor-auth index 2a2c2fc4..067bf2e0 100644 --- a/fail2ban/tests/files/logs/froxlor-auth +++ b/fail2ban/tests/files/logs/froxlor-auth @@ -1,5 +1,11 @@ +# filterOptions: [{"type": "1"}] # failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" } May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login. # failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" } May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password. +# filterOptions: [{}, {"type": "2"}] +# failJSON: { "time": "2025-09-21T17:46:18", "match": true , "host": "1.2.3.4" } +2025-09-21T17:46:18.311379+02:00 hostname froxlor[1055219]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":"1.2.3.4"} [] +# failJSON: { "time": "2025-09-21T16:30:13", "match": true , "host": "1.2.3.4" } +2025-09-21T16:30:13.118232+02:00 hostname froxlor[1054438]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":"1.2.3.4"} []