Reputation: 21
Configuring a filter for Fail2ban and Bookstack
I cannot successfully configure fail2ban filter for working with Bookstack. I tried 3 differents regex checker, they're all catching the log lines, but when i try with failban-regex tool, it don't hit anything.
Apache error logs file:
[Mon Sep 11 10:41:55.375879 2023] [php:notice] [pid 30757] [client 82.32.100.175:52892] Failed login for [email protected], referer: https://bookstack.exemple.com/login
[Mon Sep 11 10:44:55.883100 2023] [php:notice] [pid 30743] [client 100.154.118.1:59728] Failed login for [email protected], referer: https://bookstack.exemple.com/login
fail2ban/filter.d/bookstack.conf:
[Definition]
failregex = (\[client <HOST>\]) (Failed login for .*?[^,]+)
jail.local:
[bookstack]
enabled = true
port = http,https
logpath = %(apache_error_log)s
filter = bookstack
$ sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/bookstack.conf --print-all-matched >
Running tests
=============
Use failregex filter file : bookstack, basedir: /etc/fail2ban
Use log file : /var/log/apache2/error.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [51] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 51 lines, 0 ignored, 0 matched, 51 missed
[processed in 0.01 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 51 lines
Any help would be greatly appreciated. Thanks you very much for your time.
Upvotes: 1
Views: 276
Answers (1)
Reputation: 21
I finally solved the issue. However, I'm not sure how. Might be because of UFW or netfilter-persistent. I will soon try to re-install the server to test the two possibilities.
Here is the bookstack.conf:
datepattern = {^LN-BEG}(?:DAY )?MON Day %%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
failregex = .*client <HOST>.*Failed login for .*?
This regex also works fine (without datepattern):
failregex = ^.*\[client <HOST>:\d+\] Failed login for.*?[^,]+
In the end, I have added some more settings in my jail.local (it was previously missing):
maxretry = 3
bantime = 300
EDIT: In case it can be useful for someone else. I re-installed the server, and it working WITHOUT netfilers-persistent neither UFW.
Upvotes: 1
Related Questions
- Difference between sh and Bash
- Extract filename and extension in Bash
- How to reload .bashrc settings without logging out and back in again?
- How do I prompt for Yes/No/Cancel input in a Linux shell script?
- Replace one substring for another string in shell script
- How to redirect and append both standard output and standard error to a file with Bash
- fail2ban: apache-auth isn't banning failed login attempts
- How to use fail2ban for Nginx error "Primary script unknown"
- Fail2ban working regexp to match apache-noscript