mirror of https://github.com/fail2ban/fail2ban
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50 lines
2.2 KiB
50 lines
2.2 KiB
# Fail2Ban filter for unsuccesfull MongoDB authentication attempts
|
|
#
|
|
# Logfile /var/log/mongodb/mongodb.log
|
|
#
|
|
# add setting in /etc/mongodb.conf
|
|
# logpath=/var/log/mongodb/mongodb.log
|
|
#
|
|
# and use of the authentication
|
|
# auth = true
|
|
#
|
|
|
|
[Definition]
|
|
#failregex = ^\s+\[initandlisten\] connection accepted from <HOST>:\d+ \#(?P<__connid>\d+) \(1 connection now open\)<SKIPLINES>\s+\[conn(?P=__connid)\] Failed to authenticate\s+
|
|
failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+<SKIPLINES>\s+\[conn(?P=__connid)\] end connection <HOST>
|
|
|
|
ignoreregex =
|
|
|
|
|
|
[Init]
|
|
maxlines = 10
|
|
|
|
# DEV Notes:
|
|
#
|
|
# Regarding the multiline regex:
|
|
#
|
|
# There can be a nunber of non-related lines between the first and second part
|
|
# of this regex maxlines of 10 is quite generious.
|
|
#
|
|
# Note the capture __connid, includes the connection ID, used in second part of regex.
|
|
#
|
|
# The first regex is commented out (but will match also), because it is better to use
|
|
# the host from "end connection" line (uncommented above):
|
|
# - it has the same prefix, searching begins directly with failure message
|
|
# (so faster, because ignores success connections at all)
|
|
# - it is not so vulnerable in case of possible race condition
|
|
#
|
|
# Log example:
|
|
# 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open)
|
|
# 2016-10-20T09:54:27.109+0200 [conn1] authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
|
|
# 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test
|
|
# 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open)
|
|
# 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open)
|
|
# 2016-11-09T11:55:58.892+0100 [conn1510] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
|
|
# 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
|
|
# 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open)
|
|
#
|
|
# Authors: Alexander Finkhäuser
|
|
# Sergey G. Brester (sebres)
|
|
|