Added HAProxy HTTP Auth filter

2015-12-31 11:16:23 +10:00 · 2015-12-31 11:16:23 +10:00 · e133762a28
parent 69aa1feac0
commit e133762a28
4 changed files with 52 additions and 0 deletions
--- a/2
+++ b/2
@ -44,6 +44,8 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released
       request processing rate (ngx_http_limit_req_module)
     - murmur - ban hosts that repeatedly attempt to connect to
       murmur/mumble-server with an invalid server password or certificate.
+     - haproxy-http-auth - filter to match failed HTTP Authentications against a
+       HAProxy server
   * New jails:
     - murmur - bans TCP and UDP from the bad host on the default murmur port.
   * sshd filter got new failregex to match "maximum authentication
--- a/config/filter.d/haproxy-http-auth.conf
+++ b/config/filter.d/haproxy-http-auth.conf
@ -0,0 +1,37 @@
+# Fail2Ban filter configuration file to match failed login attempts to
+# HAProxy HTTP Authentication protected servers.
+#
+# PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server
+# which prompts their browser to ask for login details.
+# This initial 401 is logged by HAProxy.
+# In other words, even successful logins will have at least 1 fail regex match.
+# Please keep this in mind when setting findtime and maxretry for jails.
+#
+# Author: Jordan Moeser
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = haproxy
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)s<HOST>.*NOSRV.*401
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
--- a/config/jail.conf
+++ b/config/jail.conf
@ -839,3 +839,12 @@ filter   = screensharingd
 logpath  = /var/log/system.log
 logencoding=utf-8
 maxretry = 4
+
+[haproxy-http-auth]
+# HAProxy by default doesn't log to file you'll need to set it up to forward
+# logs to a syslog server which would then write them to disk.
+# See "haproxy-http-auth" filter for a brief cautionary note when setting
+# maxretry and findtime.
+enabled  = false
+filter   = haproxy-http-auth
+logpath  = /var/log/haproxy.log
--- a/fail2ban/tests/files/logs/haproxy-http-auth
+++ b/fail2ban/tests/files/logs/haproxy-http-auth
@ -0,0 +1,4 @@
+# failJSON: { "match": false }
+Nov 14 22:45:27 test haproxy[760]: 192.168.33.1:58444 [14/Nov/2015:22:45:25.439] main app/app1 1939/0/1/0/1940 403 5168 - - ---- 3/3/0/0/0 0/0 "GET / HTTP/1.1"
+# failJSON: { "time": "2004-11-14T22:45:11", "match": true , "host": "192.168.33.1" }
+Nov 14 22:45:11 test haproxy[760]: 192.168.33.1:58430 [14/Nov/2015:22:45:11.608] main main/<NOSRV> -1/-1/-1/-1/0 401 248 - - PR-- 0/0/0/0/0 0/0 "GET / HTTP/1.1"