You are here: Foswiki>Tasks Web>Item8424 (05 Jun 2011, OlivierRaginel)Edit Attach

Item8424: Install fail2ban on the host where foswiki.org jail runs, and have it parse the jail reject logs

pencil
Priority: Urgent
Current State: Being Worked On
Released In: n/a
Target Release: n/a
Applies To: Web Site
Component:
Branches:
Reported By: OlivierRaginel
Waiting For: Main.KoenMartens
Last Change By: OlivierRaginel
Hey Koen, as I've raised this numerous times, I'll create you a task for it.

If you think that's not doable, or not a good idea, please close the task.

Thanks.

-- Babar - 26 Jan 2010

Sorry for the delay and all. Life caught up. Anyway, I'll tackle this one soonish!

-- KoenMartens - 04 Jun 2011

I believe the following /etc/fail2ban/filter.d/foswiki-auth.conf file will match on Foswiki authentication failures. Configure also logs failure messages but I have not created a filter for them yet. 

# Fail2Ban configuration file
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
#| 2010-06-25T16:16:04Z info | guest | login | Someweb.WebHome | AUTHENTICATION FAILURE - asdfasdf -  Firefox | 192.168.1.30 |
#
failregex = .* \| AUTHENTICATION FAILURE - .* - .* \| <HOST> \|$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

And the corresponding jail.conf entry 

[foswiki-web]

enabled  = true
filter   = foswiki-auth
action   = iptables[name=foswiki-web, port=http, protocol=tcp]
           sendmail-whois[name=foswiki-web, dest=foswikiadmin@foswiki.org, sender=root@foswiki.org]
logpath  = /var/www/foswiki/working/logs/events.log
maxretry = 3

-- GeorgeClark - 05 Jun 2011

George, the problem is that this needs to be done outside the jail, on the master, hence Koen needs to do it, as he's the only one with access to the master, for now.

And I'm pretty confident he knows how to configure a fail2ban, but thanks for adding the foswiki rules. I was more worried about the ssh rejection, but it's true it doesn't hurt much to add this. Thanks.

-- OlivierRaginel - 05 Jun 2011

ItemTemplate edit

Summary Install fail2ban on the host where foswiki.org jail runs, and have it parse the jail reject logs
ReportedBy OlivierRaginel
Codebase
SVN Range
AppliesTo Web Site
Component
Priority Urgent
CurrentState Being Worked On
WaitingFor KoenMartens
Checkins
TargetRelease n/a
ReleasedIn n/a
Edit  | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r4 - 05 Jun 2011, OlivierRaginel
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy