From a7f3ba87f68e1f676716a2f485460abbedbd8f5b Mon Sep 17 00:00:00 2001 From: jim Date: Fri, 30 Nov 2018 03:54:12 +0100 Subject: [PATCH 1/2] filter.d/sogo-auth.conf: fixes gh-2289 - matching auth-failures when behind a proxy; (broken by commit 72b06479a58c3c3961e0bc5d4812271662bf946e), replacement for gh-2290. --- config/filter.d/sogo-auth.conf | 2 +- fail2ban/tests/files/logs/sogo-auth | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/filter.d/sogo-auth.conf b/config/filter.d/sogo-auth.conf index d56c94f7..4f14db35 100644 --- a/config/filter.d/sogo-auth.conf +++ b/config/filter.d/sogo-auth.conf @@ -4,7 +4,7 @@ [Definition] -failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$ +failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '(?:, [^']*)?' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/sogo-auth b/fail2ban/tests/files/logs/sogo-auth index 02a69c6d..c3aebde1 100644 --- a/fail2ban/tests/files/logs/sogo-auth +++ b/fail2ban/tests/files/logs/sogo-auth @@ -29,3 +29,5 @@ Mar 24 08:58:59 sogod [26818]: SOGoRootPage Login from '173.194.44.31' for user Mar 24 08:59:04 sogod [26818]: <0x0xb8537990[LDAPSource]> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=admin,ou=users,dc=mail,dc=example,dc=org"; } # failJSON: { "time": "2005-03-24T08:59:04", "match": true , "host": "173.194.44.31" } Mar 24 08:59:04 sogod [26818]: SOGoRootPage Login from '173.194.44.31' for user 'admin' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 +# failJSON: { "time": "2005-03-24T08:59:04", "match": true , "host": "173.194.44.31" } +Mar 24 08:59:04 sogod [26818]: SOGoRootPage Login from '173.194.44.31, 10.0.0.1' for user 'admin' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 From 1a9527e6a46840b51a2a73bc6351ad9e55180548 Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 12 Mar 2019 16:47:33 +0100 Subject: [PATCH 2/2] fixed catch-all on user (and simplifying) --- config/filter.d/sogo-auth.conf | 2 +- fail2ban/tests/files/logs/sogo-auth | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/config/filter.d/sogo-auth.conf b/config/filter.d/sogo-auth.conf index 4f14db35..317a0c15 100644 --- a/config/filter.d/sogo-auth.conf +++ b/config/filter.d/sogo-auth.conf @@ -4,7 +4,7 @@ [Definition] -failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '(?:, [^']*)?' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$ +failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/sogo-auth b/fail2ban/tests/files/logs/sogo-auth index c3aebde1..8728a76a 100644 --- a/fail2ban/tests/files/logs/sogo-auth +++ b/fail2ban/tests/files/logs/sogo-auth @@ -29,5 +29,6 @@ Mar 24 08:58:59 sogod [26818]: SOGoRootPage Login from '173.194.44.31' for user Mar 24 08:59:04 sogod [26818]: <0x0xb8537990[LDAPSource]> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=admin,ou=users,dc=mail,dc=example,dc=org"; } # failJSON: { "time": "2005-03-24T08:59:04", "match": true , "host": "173.194.44.31" } Mar 24 08:59:04 sogod [26818]: SOGoRootPage Login from '173.194.44.31' for user 'admin' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 -# failJSON: { "time": "2005-03-24T08:59:04", "match": true , "host": "173.194.44.31" } -Mar 24 08:59:04 sogod [26818]: SOGoRootPage Login from '173.194.44.31, 10.0.0.1' for user 'admin' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 +# failJSON: { "time": "2005-03-24T19:29:32", "match": true , "host": "192.0.2.16", "desc": "behind a proxy, gh-2289" } +Mar 24 19:29:32 sogod [1526]: SOGoRootPage Login from '192.0.2.16, 10.0.0.1' for user 'admin' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 +