All geek questions in one place

Fail2ban apache-auth filter does not detect failed passwords

I'm having trouble getting fail2ban to detect failed apache-auth attempts.

Filters look like this:

^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$ ^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$

and errors that occur:

 [Tue Dec 23 13:41:45.870693 2014] [auth_basic:error] [pid 2818] [client 97.171.82.123:91131] AH01617: user miati: authentication failure for "/test/file.html": Password Mismatch, referer: https://example.org/test/file.html [Tue Dec 23 13:41:45.870693 2014] [auth_basic:error] [pid 2818] [client 97.171.82.123:91131] AH01617: user miati: authentication failure for "/test/file.html": Password Mismatch, referer: https://example.org/test/file.html

Do not work correctly. I would like them to be rewritten so that they work, but I can’t understand how the filter works, and a search on Google does not lead me anywhere. Most manuals assume that I understand regex that I don’t have.

Can someone explain (or relate) what these options mean in the filter so that I can change it myself?

+5
source share
2 answers

I had the same problem with Fail2Ban v0.8.11 and initially I found your message about 13 hours after posting. My possible solution was to use the more modern apache-common.conf and apache-auth.conf files from the official GitHub repo. Now it catches login attempts and then automatically denies the IP address, although I use ufw to actually ban / cancel.

+7
source

There is additional text in your error message that fail2ban did not expect to tell fail2ban to accept this additional text:

remove $ from the end of the pattern or add .* in front of $ .

$ in the rule indicates that the log line should end there, however, in the lines of your log there is text after the words "Password Mismatch", removing $ removes this restriction. .* means "allow something", so an appendix that allows anything to the end of the line

+1
source

Source: https://habr.com/ru/post/1209801/

More articles:


All Articles