NOTE: If you are a developer, please use a private wiki based on foswiki/trunk on a daily base ...or use trunk.foswiki.org to view this page for some minimal testing.
Use Item9693 for docu changes for 1.2 and 2.0.
You are here: Foswiki>Tasks Web>Item8424 (05 Jun 2011, OlivierRaginel) Edit this topic text (e) Attach an image or document to this topic; manage existing attachments (a) View sequential topic history View without formatting (v) Create new topic Printable version of this topic (p) More: delete or rename this topic; set parent topic; view and compare revisions (m)

Item8424: Install fail2ban on the host where foswiki.org jail runs, and have it parse the jail reject logs

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Being Worked On Web Site   Main.KoenMartens
Hey Koen, as I've raised this numerous times, I'll create you a task for it.

If you think that's not doable, or not a good idea, please close the task.

Thanks.

-- Babar - 26 Jan 2010

Sorry for the delay and all. Life caught up. Anyway, I'll tackle this one soonish!

-- KoenMartens - 04 Jun 2011

I believe the following /etc/fail2ban/filter.d/foswiki-auth.conf file will match on Foswiki authentication failures. Configure also logs failure messages but I have not created a filter for them yet. 

# Fail2Ban configuration file
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
#| 2010-06-25T16:16:04Z info | guest | login | Someweb.WebHome | AUTHENTICATION FAILURE - asdfasdf -  Firefox | 192.168.1.30 |
#
failregex = .* \| AUTHENTICATION FAILURE - .* - .* \| <HOST> \|$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

And the corresponding jail.conf entry 

[foswiki-web]

enabled  = true
filter   = foswiki-auth
action   = iptables[name=foswiki-web, port=http, protocol=tcp]
           sendmail-whois[name=foswiki-web, dest=foswikiadmin@foswiki.org, sender=root@foswiki.org]
logpath  = /var/www/foswiki/working/logs/events.log
maxretry = 3

-- GeorgeClark - 05 Jun 2011

George, the problem is that this needs to be done outside the jail, on the master, hence Koen needs to do it, as he's the only one with access to the master, for now.

And I'm pretty confident he knows how to configure a fail2ban, but thanks for adding the foswiki rules. I was more worried about the ssh rejection, but it's true it doesn't hurt much to add this. Thanks.

-- OlivierRaginel - 05 Jun 2011

ItemTemplate edit

Summary Install fail2ban on the host where foswiki.org jail runs, and have it parse the jail reject logs
ReportedBy OlivierRaginel
Codebase
SVN Range
AppliesTo Web Site
Component
Priority Urgent
CurrentState Being Worked On
WaitingFor KoenMartens
Checkins
TargetRelease n/a
ReleasedIn n/a
Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r4 - 05 Jun 2011, OlivierRaginel
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons LicenseGet Foswiki at sourceforge.net. Fast, secure and Free Open Source software downloads