I'm using glpi and i want to monitoring the failed login attemtps with fail2ban. The log file is the following:
I need a regex rule for this log file, if the login attempts are failed and i want to ban the IP's with the fail2ban.
Can somebody help me?
Thanks!
use this: failed login for \w+ from IP (.*)
now your match group 1 holds the failed IP address. demo
Related
I am currently trying to secure our backup server and it's interface as it currently does not have any kind of (extra) security other than a strong password. The backup server is based on CentOS 7.x.
Log file location:
/var/log/backup
Log file names:
backuplog-2019310.log
backuplog-2019309.log
backuplog-2019308.log
backuplog-2019307.log
False logins are logged like:
[2019-11-06T13:13:33+01:00] [Audit] Web login failure for account 'admin': Invalid authentication (Address=200.100.150.50:28534)
[2019-11-06T13:13:34+01:00] [Audit] Web login failure for account 'test': Invalid authentication (Address=120.30.40.20:28534)
[2019-11-06T13:13:35+01:00] [Audit] Web login failure for account 'info': Invalid authentication (Address=85.80.75.70:28534)
[2019-11-06T13:13:35+01:00] [Audit] Web login failure for account 'user': Invalid authentication (Address=25.125.155.190:28534)
In /etc/fail2ban/jail.local:
[backup]
enabled = true
filter = backup
logpath = /var/log/backup/backuplog-*.log
port = 80,443
The use of the asterisk in there is allowed, right?
So far I understand it correctly, I hope.
However I am experiencing issues with creating a correct filter for this custom fail2ban ban rule (= filter).
Example of /etc/fail2ban/filter.d/backup.conf:
[Definition]
failregex = [[]Web login failure for account []] .* Invalid authentication
ignoreregex =
But it's not working. So I am guessing my failregex is incorrect? Maybe someone can advice me the correct failregex to apply to make it work?
I am receiving the following error messages when starting up fail2ban:
ERROR NOK: ("No 'host' group in '[[]Web login failure for account []] .* Invalid authentication'",)
So I am guessing the failregex is incorrect?
//update 1 - STILL ISSUES + ADDITIONAL QUESTION
Fooled around a bit more. This is the updated failregex:
failregex = [][] Web login failure for account .* <HOST>
Now I am not getting the "ERROR NOK" anymore, however it's still not working. This is the fail2ban log:
2019-11-06 14:44:39,111 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:41,706 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:42,082 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:42,623 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
So what am I doing wrong here?
Also, coming to think of it, I think using "/var/log/backup/backuplog-*.log" is not that great. Especially when more and more log files are created. Right?
Is there a way to target the current or latest log file e.g. backuplog-2019310.log?
Thanks in advance.
In the meantime I will fool around a bit more.
//update 2 - MAIN ISSUE SOLVED!!
I guess I solved it by using the following failregex:
failregex = Invalid authentication \(Address=<HOST>
Will see if I can make it somewhat better obviously. But it's a great start for me.
So maybe someone can help me with the issue in regards to the log file as mentioned above. For easier reading I will ask it here again:
Also, coming to think of it, I think using
"/var/log/backup/backuplog-*.log" is not that great. Especially when
more and more log files are created. Right?
Is there a way to target the current or latest log file e.g.
backuplog-2019310.log?
Maybe someone has a solution for this?
Thank you in advance.
As for regex, it is always better to use anchored RE's, so either at end:
failregex = Invalid authentication \(Address=<HOST>\)\s*$
or at begin:
failregex = ^\[\] \[Audit\] Web login failure for account '[^']+': Invalid authentication \(Address=<HOST>
And disable usedns for this jail if no hostnames in log are expected (or use <ADDR> instead of <HOST> if f2b >= v.0.10).
As for current (latest) log file, simply create a symlink in postrotate (see https://stackoverflow.com/a/58430149/7161854).
Good day!!
I am pretty new to HA Proxy and I am trying to log all http details using httplog option. Where I am able to capture all the details except cookie request and response. I need to capture them to be able to understand users behaviour on our websites.
I have found some reference on google like below,
capture cookie name len 10
note: I am using marathon-lb haproxy official docker image
I am not able understand what should I give at "name" so that it can capture ? or If there is any way to capture ?
thanks in advance for your help :)
To log cookies you'll need to capture as you note, where name is the name of the cookie you want to capture.
To log the captured cookies, you'll use
%CC #captured_request_cookie
%CS #captured_response_cookie
You will have to use the log-format option and create a custom log that includes those cookies.
Doc section https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.2.4
I noticed a strange behaviour in firewall pattern configuration in Symfony 2.3 in windows7.
Simply put, if I use this configuration:
support:
pattern: /support/*
My route is recognized and security token put under the right firewall.
If I use a regexp configuration:
support:
pattern: /support/.*
My route isn't recognized any more and security token does not exists.
How is this possible? .* shouldn't be the correct regexp?
That is not a valid pattern with a start delimiter. Try something like this:
support:
pattern:
^/support/
I am trying to write a regex that works in Google Apps that matches email addresses on incoming messages with subdomains, e.g.:
root#*wildcard*.mydomain.com
but not
root#mydomain.com
So that I can use Gmail to redirect them to the proper recipient #mydomain.com.
The following regex works in my regex editor but doesn't match anything in Gmail testing:
^[-+.0-9A-Z_a-z]+#[-+.0-9A-Z_a-z]+\.(mydomain.com)$
For those of you familiar with GApps, I'm referring to the setting under Settings > Email > Receiving routing > Configure > Options.
Any help would be appreciated. Thank you!
Try putting the dash last; some regex dialects can't handle a leading dash in a character class. Other than that, your regex looks OK.
^[+.0-9A-Z_a-z-]+#[+.0-9A-Z_a-z-]+\.(mydomain\.com)$
I'm trying to match the the URI / URL scheme (e.x. ftp, http, https) using this regex ^(.*:) . The problem is that my url has a port number so the : to connote server connection in the scheme isn't the only one in the URL there is also :80. How do I just match the scheme using regex?
Given this example:
http://video.google.co.uk/videoplay?docid=-7246927612831078230&hl=en#00h02m30s
I would like regex to just match:
http
I'm not interested in something like
^((http[s]?|ftp):\/)
I know this would work it, it is limiting however. It wouldn't give me mailto, tel, ssh, etc.
I just found that ^[^:]+ works.