fail2ban and specific RegEx
Question
I'd need help for a fail2ban filter that should match on failed login attempts within openHAB.
06-Apr.-2021 18:49:52.726 [WARN ] [core.io.http.auth.internal.AbstractAuthPageServlet] - Authentication failed: Wrong password for user UserThatFailedLogin
06-Apr.-2021 19:41:11.456 [WARN ] [core.io.http.auth.internal.AbstractAuthPageServlet] - Authentication failed: User not found: UserThatFailedLogin
These are both examples for log entries for A) wrong password and B) not-existing users.
I've played around https://regex101.com and came up with the following RegEx (first touchpoint for me);
(\bAuthentication failed: Wrong password\b|\bAuthentication failed: User not found\b)
While it matches in the regex101-tool for above mentioned example log-entries, unfortunately I don't see any matches in fail2ban.
If you could help me out here, it would be highly appreciated, many thanks in advance!
1 answers
solution1
0 2021-04-09 16:43:53
What exactly do you want ban?
Firstly, both messages from your example do not contain any identifier to be banned - neither IP, not something else excepting the username. It is possible to ban everything, but you surely won't ban username.
Then you'd need to provide a custom datepattern , it will be something like below (just I'm not sure the month token would always match (because it has here . after it).
So assuming we had an IP address after failed , like this:
06-Apr.-2021 18:49:52.726 [WARN ] [core.io.http.auth.internal.AbstractAuthPageServlet] - Authentication failed from 192.0.2.1: Wrong password for user UserThatFailedLogin
06-Apr.-2021 19:41:11.456 [WARN ] [core.io.http.auth.internal.AbstractAuthPageServlet] - Authentication failed from 192.0.2.1: User not found: UserThatFailedLogin
your filter could look like here:
[Definition]
datepattern = %%d-%%b\.-%%Y %%H:%%M:%%S\.%%f
failregex = ^\s*\[WARN\s*\] \[core.io.http.auth.internal.AbstractAuthPageServlet\] - Authentication failed from <ADDR>: (?:Wrong password for user|User not found:) <F-USER>\S+</F-USER>
But without any identifier to ban, hmmm...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.