Custom fail2ban ban rule not working (incorrect failregex usage?) - regex

I am currently trying to secure our backup server and it's interface as it currently does not have any kind of (extra) security other than a strong password. The backup server is based on CentOS 7.x.
Log file location:
/var/log/backup
Log file names:
backuplog-2019310.log
backuplog-2019309.log
backuplog-2019308.log
backuplog-2019307.log
False logins are logged like:
[2019-11-06T13:13:33+01:00] [Audit] Web login failure for account 'admin': Invalid authentication (Address=200.100.150.50:28534)
[2019-11-06T13:13:34+01:00] [Audit] Web login failure for account 'test': Invalid authentication (Address=120.30.40.20:28534)
[2019-11-06T13:13:35+01:00] [Audit] Web login failure for account 'info': Invalid authentication (Address=85.80.75.70:28534)
[2019-11-06T13:13:35+01:00] [Audit] Web login failure for account 'user': Invalid authentication (Address=25.125.155.190:28534)
In /etc/fail2ban/jail.local:
[backup]
enabled = true
filter = backup
logpath = /var/log/backup/backuplog-*.log
port = 80,443
The use of the asterisk in there is allowed, right?
So far I understand it correctly, I hope.
However I am experiencing issues with creating a correct filter for this custom fail2ban ban rule (= filter).
Example of /etc/fail2ban/filter.d/backup.conf:
[Definition]
failregex = [[]Web login failure for account []] .* Invalid authentication
ignoreregex =
But it's not working. So I am guessing my failregex is incorrect? Maybe someone can advice me the correct failregex to apply to make it work?
I am receiving the following error messages when starting up fail2ban:
ERROR NOK: ("No 'host' group in '[[]Web login failure for account []] .* Invalid authentication'",)
So I am guessing the failregex is incorrect?
//update 1 - STILL ISSUES + ADDITIONAL QUESTION
Fooled around a bit more. This is the updated failregex:
failregex = [][] Web login failure for account .* <HOST>
Now I am not getting the "ERROR NOK" anymore, however it's still not working. This is the fail2ban log:
2019-11-06 14:44:39,111 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:41,706 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:42,082 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:42,623 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
So what am I doing wrong here?
Also, coming to think of it, I think using "/var/log/backup/backuplog-*.log" is not that great. Especially when more and more log files are created. Right?
Is there a way to target the current or latest log file e.g. backuplog-2019310.log?
Thanks in advance.
In the meantime I will fool around a bit more.
//update 2 - MAIN ISSUE SOLVED!!
I guess I solved it by using the following failregex:
failregex = Invalid authentication \(Address=<HOST>
Will see if I can make it somewhat better obviously. But it's a great start for me.
So maybe someone can help me with the issue in regards to the log file as mentioned above. For easier reading I will ask it here again:
Also, coming to think of it, I think using
"/var/log/backup/backuplog-*.log" is not that great. Especially when
more and more log files are created. Right?
Is there a way to target the current or latest log file e.g.
backuplog-2019310.log?
Maybe someone has a solution for this?
Thank you in advance.

As for regex, it is always better to use anchored RE's, so either at end:
failregex = Invalid authentication \(Address=<HOST>\)\s*$
or at begin:
failregex = ^\[\] \[Audit\] Web login failure for account '[^']+': Invalid authentication \(Address=<HOST>
And disable usedns for this jail if no hostnames in log are expected (or use <ADDR> instead of <HOST> if f2b >= v.0.10).
As for current (latest) log file, simply create a symlink in postrotate (see https://stackoverflow.com/a/58430149/7161854).

Related

Change localhost to hostname in wso2 is

Good day!
I am trying to configure user invitation with email confirmation.
Invited user accept email, but when he push 'confirm account' button he get an error.
First there was a certificate error. but when I added the certificate, another error occurred. As I understand it, the error is quite logical, because the certificate was issued to our hostname. Is there any way to change localhost to our hostname? or are there other ways to solve this problem?
ERROR {org.wso2.carbon.identity.mgt.endpoint.util.client.ApiClient} - Error while performing the request method: POST on the resource: https://localhost:9443/api/identity/user/v1.0/validate-code com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching localhost found.
Editing RecoveryEndpointConfig.properties in repository/deployment/server/webapps/accountrecoveryendpoint/ dont solve this problem
You can configure the hostname by adding the following entry to the <IS_HOME>/repository/conf/deployment.toml config file,
[server]
hostname = "your_host_name"
Since by default IS uses localhost as the internal hostname, you will need to add it as a SAN for the certificate.
Another option is to define the hostname and internal_hostname both in the toml config as below,
[server]
hostname = "your_host_name"
internal_hostname = "your_host_name"
You may refer to the following official documentation to get a detail understanding of changing the hostname
https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/

Cannot access wso2is.local:port:/carbon, can access via IP:port:/carbon

I've been attempting to set up service and identity providers within wso2is. I've been following the documentation, using the 'travelocity' sample. After having configured inbound authentication with SAML2 Web SSO (from the following documentation: https://docs.wso2.com/display/IS580/Adding+and+Configuring+a+Service+Provider#AddingandConfiguringaServiceProvider-SAML-SSOConfiguringinboundauthenticationwithSAML2WebSSO )
I've attempted to reconfigure the service providers, but the errors I get whenever I try and access ':/travelocity.com' from a remote workstation in Chrome are as follows;
using https://:8080/travelocity.com
/ Error 405 - Method Not Allowed
using https://wso2is.local:9443/travelocity.com
/ "This site can’t be reached wso2is.local’s server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN"
Same result without https.
using https://:9443/travelocity.com
/ "Error 405 - Method Not Allowed"
using https://wso2is.local:8080/travelocity.com
/ "This site can’t be reached wso2is.local’s server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN"
Same result without https.
using http://:9443/travelocity.com
/ " sent an invalid response.
ERR_INVALID_HTTP_RESPONSE"
using http://:8080/travelocity.com
/ Returns apache's default 404 page.
I'm looking for suggestions or advice, as this my first attempt at configuring a wso2is enviroment.
using https://:8080/travelocity.com / Error 405 - Method Not Allowed
This occurs because you havent specified the host.
Open etc/host file. add the following line and try the flow again.
127.0.0.1 wso2is.local
Otherwise, just try with https://localhost:8080/travelocity.com
For more information please refer
https://docs.wso2.com/display/IS580/Configuring+Single+Sign-On

WSO2 Identity Server login returns a 403

I am trying to log into my WSO2 management console. It is containerized and hosted in an AWS EC2 instance. I can navigate to the console login page, but when I try to login I get a 403 Forbidden message.
Navigation to login page is okay
Forbidden error
I know that the cause of this issue is that my login page is not posting the X-CSRF-Token.
Example of the form data posted in my "bad" request:
The console of my WSO2 instance prints an error like this:
WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:IP_ADDRESS, method:POST, uri:/carbon/admin/login_action.jsp, error:required token is missing from the request)
Example of the form data posted in a "good" request in a local WSO2 instance:
What I have tried:
I have tried turning compression "off" as suggested by this post: wso2 api manger carbon page gives 403 Forbidden
I am not using JDK 1.8.0_151 which is labeled as a version with a bug.
I am able to circumvent the issue if I disable the csrfguard in Owasp.CsrfGuard.Carbon.properties but this is a security risk.
I have sticky sessions enabled
Any ideas on why the posting to the login_action.jsp page would return a 403?
EDIT
I failed to mention in the post that I am using TLS termination with an AWS load balancer. I am almost certain that my issue has something to do with that. This line from my console output details what my error is:
Referer domain https:LOAD_BALANCER_URL/carbon/admin/login.jsp does not match request domain: http://LOAD_BALANCER_URL/carbon/admin/js/csrfPrevention.js
You can see that the referer is using https but the request is using http. I believe that I want the request domain to be https, but I'm not sure how to do that. I think that the first page is making a call to login.jsp with https and the login.jsp page is making a call to the csrfPrevention.js page but changing the protocol to http.
Please refer the OS and JDK incompatibilities matrix and make sure you are not using one of these OS JDK pairs.
Do you have a load balancer fronting your Identity Server? If so, please verify that you have enabled sticky sessions in your LB. You can find sample NGINX the configurations in the guide - docs.wso2.com/display/CLUSTER44x/Configuring+NGINX
Lower the version of java JDK to 1.8.0_144.If it's not worked go to this location
wso2Servers/wso2is-5.5.0/repository/conf/security .
There is a file name Owasp.CsrfGuard.Carbon.properties.
In that file, there is a line
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
set this to
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = false
This worked for me.

CERTIFICATE_VERIFY_FAILED requests.session() get request

I am trying to get the contents of a page where only https urls work and it does not have a valid certificate.
import requests
session_requests = requests.session()
result = session_requests.get("some https url")
I am getting the following error:
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
However if i use this:
requests.get('https://url.retail.publishedprices.co.il/login', verify=False)
It works, but i need to do the same kind of thing with the requests.session() since i am logging in.
If you look at the SSLLabs report for this site you will find out that there are several things wrong:
The name in the certificate does not match the name given in the URL. If you try to access this site with a browser you get an error message too.
The trust chain is incomplete and thus cannot be validated. Some browsers might try to download the missing intermediate certificate but others will simply fail here too.
Instead of trying to working around this broken setup I recommend to contact the ones who setup the site so that these serious issues gets fixed. After the fixes no workarounds in your script are needed.
Also, I don't consider disabling the validation as an acceptable workaround in this situation. This is a public accessible site which asks for sensitive data (at least username and password). And this site is explicitly enforcing https.

Authentication error sending messages to Windows Service Bus 1.0 on AWS

I am trying to send and receive messages from a local workgroup machine (Windows 7), call it the 'client', to Service Bus 1.0 set up on a workgroup server (hosted on AWS EC2). After many trials and research I'm unable to send messages from the client machine to the server. I've followed a number of articles that appear to indicate that it is possible to do, but I cannot resolve the authentication issue I'm seeing.
Connecting to Windows Server Service Bus on AWS
Microsoft Service Bus on a Windows Workgroup
I note the Microsoft system requirements appears to indicate that it is "not supported" and "not possible". My question is can this be done, and has anyone had success? Any help would be greatly appreciated.
msdn.microsoft.com/en-us/library/windowsazure/jj193011(v=azure.10).aspx
My attempts include using either the WindowsTokenProvider and OAuthTokenProvider. I get the same result:
System.UnauthorizedAccessException: The token provider was unable to provide a security token while accessing 'https://xx.xx.xx.xx:9355/ServiceBusDefaultNamespace/$STS/Windows/'. Token provider returned message: ''. ---> System.IdentityModel.Tokens.SecurityTokenException: The token provider was unable to provide a security token while accessing 'https://xx.xx.xx.xx:9355/ServiceBusDefaultNamespace/$STS/Windows/'. Token provider returned message: ''. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
The Service Bus namespace is set up with AddressingScheme "Path" for a workgroup install. And the client side connection string includes the IP to reach the server, and I've set a RemoteCertificateValidationCallback before creating the queues.
Endpoint=sb://xx.xx.xx.xx/ServiceBusDefaultNamespace;StsEndpoint=https://xx.xx.xx.xx:9355/ServiceBusDefaultNamespace;RuntimePort=9354;ManagementPort=9355;WindowsUsername=SBUser;WindowsDomain=[NotUsed];WindowsPassword=[Password]
Code to attach to the remote queue and send a message is as follows:
ServiceBusConnectionStringBuilder connBuilder = new ServiceBusConnectionStringBuilder(ConfigurationManager.AppSettings["Microsoft.ServiceBus.ConnectionString"]); // Gets the connection string above
TokenProvider tokenProvider = WindowsTokenProvider.CreateWindowsTokenProvider(connBuilder.StsEndpoints, new NetworkCredential(connBuilder.WindowsCredentialUsername, connBuilder.WindowsCredentialPassword));
MessagingFactorySettings messagingFactorySettings = new MessagingFactorySettings();
messagingFactorySettings.TokenProvider = tokenProvider;
MessagingFactory messagingFactory = MessagingFactory.Create(connBuilder.GetAbsoluteRuntimeEndpoints(), messagingFactorySettings);
requestQueue = messagingFactory.CreateQueueClient("RequestQueue");
...
requestQueue.Send(sendMessage); // Fails here
The server account is SBUser with a password and I have left the domain/host specified blank on the token provider. I note that the Event Viewer on the server shows the authentication being attempted is the client's user account not the one from the token provider. Why is this? I'm obviously missing something in order to authenticate on the server.
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [ClientLogin]
Account Domain: [ClientMahcine]
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Appreciate any help. Thanks.
Try with the OAuthTokenProvider and make sure that connBuilder is passing the right values.
TokenProvider tokenProvider = TokenProvider.CreateOAuthTokenProvider (connBuilder.StsEndpoints, new NetworkCredential(connBuilder.WindowsCredentialUsername, connBuilder.WindowsCredentialPassword));
Once you try this, please, reply with the exception you get in your client. Also, in the server, search for a event in the Service Bus section that would give more details about the exception.
With that information we should continue to the next step.
Did you get to the bottom of this?
I have managed to get around the exact same issue by setting the Fully Qualified domain name of the server that the certificate is bound to in the client machine hosts file.
So where you have entered the IP address in the connection string, you should instead enter 'AMAZONA-PQxxxxx'. And in your hosts file, have the 'AMAZONA-PQxxxxx' resolve to the IP address.
we had the same issues. Server W2k12R2, standalone, Workgroup; Client Windows 7, same Workgroup.
It's necessary to have the same user accounts on both systems. Looks like this is some kind of "authentication proxy stuff" running.
Take a look at the compatibility matrix mentioned above:
http://msdn.microsoft.com/en-us/library/windowsazure/jj193011(v=azure.10).aspx
Thank you,
Holger