github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Added HAProxy HTTP Auth filter

pull/1288/merge^2
Jordan Moeser 2015-12-31 11:16:23 +10:00
parent 69aa1feac0
commit e133762a28
4 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -44,6 +44,8 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released
request processing rate (ngx_http_limit_req_module) request processing rate (ngx_http_limit_req_module)
- murmur - ban hosts that repeatedly attempt to connect to - murmur - ban hosts that repeatedly attempt to connect to
murmur/mumble-server with an invalid server password or certificate. murmur/mumble-server with an invalid server password or certificate.
- haproxy-http-auth - filter to match failed HTTP Authentications against a
HAProxy server
* New jails: * New jails:
- murmur - bans TCP and UDP from the bad host on the default murmur port. - murmur - bans TCP and UDP from the bad host on the default murmur port.
* sshd filter got new failregex to match "maximum authentication * sshd filter got new failregex to match "maximum authentication

37
config/filter.d/haproxy-http-auth.conf Normal file
View File

@ -0,0 +1,37 @@
# Fail2Ban filter configuration file to match failed login attempts to
# HAProxy HTTP Authentication protected servers.
#
# PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server
# which prompts their browser to ask for login details.
# This initial 401 is logged by HAProxy.
# In other words, even successful logins will have at least 1 fail regex match.
# Please keep this in mind when setting findtime and maxretry for jails.
#
# Author: Jordan Moeser
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = haproxy
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s<HOST>.*NOSRV.*401
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

9
config/jail.conf
View File

@ -839,3 +839,12 @@ filter = screensharingd
logpath = /var/log/system.log logpath = /var/log/system.log
logencoding=utf-8 logencoding=utf-8
maxretry = 4 maxretry = 4
[haproxy-http-auth]
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
# maxretry and findtime.
enabled = false
filter = haproxy-http-auth
logpath = /var/log/haproxy.log

4
fail2ban/tests/files/logs/haproxy-http-auth Normal file
View File

@ -0,0 +1,4 @@
# failJSON: { "match": false }
Nov 14 22:45:27 test haproxy[760]: 192.168.33.1:58444 [14/Nov/2015:22:45:25.439] main app/app1 1939/0/1/0/1940 403 5168 - - ---- 3/3/0/0/0 0/0 "GET / HTTP/1.1"
# failJSON: { "time": "2004-11-14T22:45:11", "match": true , "host": "192.168.33.1" }
Nov 14 22:45:11 test haproxy[760]: 192.168.33.1:58430 [14/Nov/2015:22:45:11.608] main main/<NOSRV> -1/-1/-1/-1/0 401 248 - - PR-- 0/0/0/0/0 0/0 "GET / HTTP/1.1"