How to create a fail2ban jail and access log for you own application

Question

I want my own small nuxt/vue.js application to utilize fail2ban to lock out users with too many incorrect login attempts. I think I have understood how to set up Fail2Ban itself.

My question is: what syntax should my access.log follow in order for it to be understood by fail2ban right out of the box? I did not find any answers on that.

access.log

What is the best practice and what is an approach that will work for fail2ban right out of the box? I am imagining something like this:

2019-02-17 15:12:10 login-error from 192.168.1.1 Invalid user 'administrator'
2019-02-17 16:11:10 login-error from 192.168.1.1 Invalid password for user 'admin'

Basic Setup

1) Install Fail2Ban

sudo apt-get install fail2ban

2) Create your own jail

sudo vim /etc/fail2ban/jail.local

Paste content (and edit to your needs)

[my-app]

enabled  = true
port     = http,https
filter   = my-app
logpath  = /home/my-user/my-app/logs/access.log
maxretry = 5

4) Create your filter

sudo vim /etc/fail2ban/filter.d/my-app.local

Paste the content in your my-app.local:

[Definition]
failregex = login-error from <HOST>

3) Restart the service

sudo systemctl restart fail2ban.service

Now this will monitor the my-app/logs/access.log and lock an IP out after more than 5 incorrect attempts once the log is set up.

Answer 1

On log format there should be a very strict separation between IP address and any other user data. The main consideration you need to achieve to prevent an external party from attempting to login with a pattern in which you regex will match an IP address in the user data as opposed to the IP of origin.

Having a log format like yours where an anchor at the start of the line contains no user data (like username), before the IP makes it easy to write a strong regex.

This pattern accounts for most of the CVE's in fail2ban.

To prevent this on your pattern, there is guidance in the FILTERS document in the repository.

In the case of the filter provider, a start anchor ^ should be include in the regex (assume the date/time has been removed).

You should also block an invalid user the same way as an invalid password. Without this a user could enumerate what valid users exist by attempting the same login 5 times.