From 897b21a4c56c51ac7580dc1a3de6b07876528487 Mon Sep 17 00:00:00 2001 From: para-do-x Date: Mon, 22 Sep 2025 09:46:46 +0400 Subject: [PATCH 1/6] Update froxlor-auth.conf updated the regex to the new logging situation for froxlor. --- config/filter.d/froxlor-auth.conf | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/config/filter.d/froxlor-auth.conf b/config/filter.d/froxlor-auth.conf index d8f3785c..632b12fa 100644 --- a/config/filter.d/froxlor-auth.conf +++ b/config/filter.d/froxlor-auth.conf @@ -1,11 +1,13 @@ # Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) # # Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages -# Froxlor: [Login Action ] Unknown user '' tried to login. -# Froxlor: [Login Action ] User '' tried to login with wrong password. +# froxlor[1-6]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":""} [] +# froxlor[1-6]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":""} [] # # Author: Joern Muehlencord # +# Modified: Para-do-x™️ - Andreas Duennwald +# [INCLUDES] @@ -16,7 +18,7 @@ before = common.conf [Definition] -_daemon = Froxlor +_daemon = froxlor # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The @@ -26,15 +28,12 @@ _daemon = Froxlor # Values: TEXT # -prefregex = ^%(__prefix_line)s\[Login Action \] .+$ - -failregex = ^Unknown user \S* tried to login.$ - ^User \S* tried to login with wrong password.$ - +prefregex = +failregex = ^%(__prefix_line)s\S* froxlor\[\S+\]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":""\S* \[\] + ^%(__prefix_line)s\S* froxlor\[\S+\]: froxlor.WARNING: User tried to login with wrong password. \{"source":"login","action":"50","user":""\S* \[\] # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = - From abdd0d4b25b8f1f021d858d8d8cd8a321461fac0 Mon Sep 17 00:00:00 2001 From: para-do-x Date: Mon, 22 Sep 2025 09:49:33 +0400 Subject: [PATCH 2/6] Update jail.conf for froxlor-auth Changed logpath to syslog_user for froxlor-auth --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 5d75f4f5..66d6b107 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -501,7 +501,7 @@ backend = %(syslog_backend)s [froxlor-auth] port = http,https -logpath = %(syslog_authpriv)s +logpath = %(syslog_user)s backend = %(syslog_backend)s From 1379a262f6e87c9ad06da44a817c0f47278d5e31 Mon Sep 17 00:00:00 2001 From: para-do-x Date: Wed, 24 Sep 2025 11:06:54 +0400 Subject: [PATCH 3/6] Update froxlor-auth testfile --- fail2ban/tests/files/logs/froxlor-auth | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/fail2ban/tests/files/logs/froxlor-auth b/fail2ban/tests/files/logs/froxlor-auth index 2a2c2fc4..0f61da88 100644 --- a/fail2ban/tests/files/logs/froxlor-auth +++ b/fail2ban/tests/files/logs/froxlor-auth @@ -1,5 +1,4 @@ -# failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" } -May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login. -# failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" } -May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password. - +# failJSON: { "time": "2025-09-21T17:46:18", "match": true , "host": "1.2.3.4" } +2025-09-21T17:46:18.311379+02:00 hostname froxlor[1055219]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":"1.2.3.4"} [] +# failJSON: { "time": "2005-05-21T16:30:13", "match": true , "host": "1.2.3.4" } +2025-09-21T16:30:13.118232+02:00 hostname froxlor[1054438]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":"1.2.3.4"} [] From a9401233ddc58e7481a6ce0ae43e182e47215939 Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 24 Sep 2025 16:09:42 +0200 Subject: [PATCH 4/6] code review, make it backwards compatible to logging type=1 (as suggested in https://github.com/fail2ban/fail2ban/issues/2926#issuecomment-774780120); use by default type=2 --- config/filter.d/froxlor-auth.conf | 41 +++++++++++--------------- fail2ban/tests/files/logs/froxlor-auth | 9 +++++- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/config/filter.d/froxlor-auth.conf b/config/filter.d/froxlor-auth.conf index 632b12fa..ab85c9cf 100644 --- a/config/filter.d/froxlor-auth.conf +++ b/config/filter.d/froxlor-auth.conf @@ -1,13 +1,15 @@ # Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) # # Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages -# froxlor[1-6]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":""} [] -# froxlor[1-6]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":""} [] +# - for type=2 +# froxlor[1-6]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":""} [] +# froxlor[1-6]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":""} [] +# - for type=1: +# Froxlor: [Login Action ] Unknown user '' tried to login. +# Froxlor: [Login Action ] User '' tried to login with wrong password. # # Author: Joern Muehlencord -# # Modified: Para-do-x™️ - Andreas Duennwald -# [INCLUDES] @@ -15,25 +17,18 @@ # common.local before = common.conf +[DEFAULT] +_daemon = [Ff]roxlor + +[type1] +prefregex = ^%(__prefix_line)s\[Login Action \] .+$ + +[type2] +prefregex = ^%(__prefix_line)sfroxlor\.WARNING: .+ \{(?:"[^"]+":"[^"]*",\s*){,5}"user":""\} \[\]$ [Definition] - -_daemon = froxlor - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# - -prefregex = -failregex = ^%(__prefix_line)s\S* froxlor\[\S+\]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":""\S* \[\] - ^%(__prefix_line)s\S* froxlor\[\S+\]: froxlor.WARNING: User tried to login with wrong password. \{"source":"login","action":"50","user":""\S* \[\] - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# +type = 2 +prefregex = /prefregex> +failregex = ^Unknown user(?: \S*)? tried to login\.$ + ^User(?: \S*)? tried to login with wrong password\.$ ignoreregex = diff --git a/fail2ban/tests/files/logs/froxlor-auth b/fail2ban/tests/files/logs/froxlor-auth index 0f61da88..067bf2e0 100644 --- a/fail2ban/tests/files/logs/froxlor-auth +++ b/fail2ban/tests/files/logs/froxlor-auth @@ -1,4 +1,11 @@ +# filterOptions: [{"type": "1"}] +# failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" } +May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login. +# failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" } +May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password. + +# filterOptions: [{}, {"type": "2"}] # failJSON: { "time": "2025-09-21T17:46:18", "match": true , "host": "1.2.3.4" } 2025-09-21T17:46:18.311379+02:00 hostname froxlor[1055219]: froxlor.WARNING: User tried to login with wrong password. {"source":"login","action":"50","user":"1.2.3.4"} [] -# failJSON: { "time": "2005-05-21T16:30:13", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2025-09-21T16:30:13", "match": true , "host": "1.2.3.4" } 2025-09-21T16:30:13.118232+02:00 hostname froxlor[1054438]: froxlor.WARNING: Unknown user tried to login. {"source":"login","action":"50","user":"1.2.3.4"} [] From 13563fd09b05604a5be32625663ea4533facf66d Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 24 Sep 2025 16:23:05 +0200 Subject: [PATCH 5/6] combine both REs to single RE, no prefregex needed here --- config/filter.d/froxlor-auth.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/filter.d/froxlor-auth.conf b/config/filter.d/froxlor-auth.conf index ab85c9cf..c6f35e15 100644 --- a/config/filter.d/froxlor-auth.conf +++ b/config/filter.d/froxlor-auth.conf @@ -20,15 +20,15 @@ before = common.conf [DEFAULT] _daemon = [Ff]roxlor +_re = (?:Unknown )?[uU]ser(?: '(?:\S*|[^']*)')? tried to login(?: with wrong password)?\. + [type1] -prefregex = ^%(__prefix_line)s\[Login Action \] .+$ +failregex = ^%(__prefix_line)s\[Login Action \] %(_re)s$ [type2] -prefregex = ^%(__prefix_line)sfroxlor\.WARNING: .+ \{(?:"[^"]+":"[^"]*",\s*){,5}"user":""\} \[\]$ +failregex = ^%(__prefix_line)sfroxlor\.WARNING: %(_re)s \{(?:"[^"]+":"[^"]*",\s*){,5}"user":""\} \[\]$ [Definition] type = 2 -prefregex = /prefregex> -failregex = ^Unknown user(?: \S*)? tried to login\.$ - ^User(?: \S*)? tried to login with wrong password\.$ +failregex = /failregex> ignoreregex = From ad9aba5871e7d3924aa42f76d8eeb739fef8cdcd Mon Sep 17 00:00:00 2001 From: para-do-x Date: Wed, 24 Sep 2025 18:43:39 +0400 Subject: [PATCH 6/6] Update ChangeLog gh4075 --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 7ebf401d..ea25f313 100644 --- a/ChangeLog +++ b/ChangeLog @@ -69,6 +69,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782) - `ddos` and `aggressive` modes: regex extended for timeout before authentication (optional connection from part, gh-3907) * `filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal, gh-3954) +* `filter.d/froxlor-auth.conf` - updated the regex to the new logging situation for froxlor and changed logpath in jail.conf (gh-4075). ### New Features and Enhancements * backend `systemd` extended with new parameter `rotated` (default `false`, as prevention against "too many open files"),