für ownCloud habe ich folgende Fail2ban-Konfiguration erstellt.
Code: Alles auswählen
[Definition]
failregex = {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}
Code: Alles auswählen
[owncloud-login]
enabled = true
port = http,https
filter = owncloud-login
logpath = /srv/www/owncloud/data/owncloud.log
maxretry = 3
Code: Alles auswählen
'logtimezone' => 'Europe/Berlin',
Code: Alles auswählen
root@srv:~# fail2ban-regex /srv/www/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud-login.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/owncloud-login.conf
Use log file : /srv/www/owncloud/data/owncloud.log
Results
=======
Failregex
|- Regular expressions:
| [1] {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}
|
`- Number of matches:
[1] 7 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
x.x.x.x (Fri Oct 24 23:12:08 2014)
x.x.x.x (Fri Oct 24 23:12:13 2014)
x.x.x.x (Fri Oct 24 23:12:18 2014)
x.x.x.x (Fri Oct 24 23:12:22 2014)
x.x.x.x (Fri Oct 24 23:12:26 2014)
x.x.x.x (Fri Oct 24 23:12:32 2014)
x.x.x.x (Fri Oct 24 23:12:37 2014)
Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
14 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 7
However, look at the above section 'Running tests' which could contain important
information.
Code: Alles auswählen
root@srv:~# cat /srv/www/owncloud/data/owncloud.log
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:08+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:13+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:18+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:22+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:26+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:32+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:37+02:00"}
Gruß
Jochen