fail2ban regex for Owncloud 8

Ask all your questions regarding OC 8.0 and 8.1 Please read the Support Forum Rules
Forum rules
The forums were migrated over to https://central.owncloud.org which is based on the forum software Discourse. The forums here is put into read-only mode starting from today.

More background information about this move and the reasoning behind it is available in this blogpost:

https://daniel.molkentin.net/2016/07/20 ... d-central/
iskear
Newbie
Posts: 2
Joined: Tue Feb 10, 2015 8:45 pm
ownCloud version: 8.0.0
Webserver: nginx
Database: MySQL
OS: Unknown
PHP version: latest

fail2ban regex for Owncloud 8

Postby iskear » Tue Feb 10, 2015 8:55 pm

Hello,
I just updated to Owncloud 8 and it's working great, except fail2ban doesnt detects anything anymore. I looked into the logs and saw that oc appeared to have changed the logging format again. Now my question, since the release is so fresh I simply dont find a working regex for fail2ban so that the new format:

Code: Select all

{"reqId":"a3afd43234a09a087b785acf835facca","remoteAddr":"10.0.0.20","app":"core","message":"Login failed: 'a' (Remote IP: '10.0.0.20', X-Forwarded-For: '')","level":2,"time":"2015-02-10T19:30:14+01:00","method":"POST","url":"\/"}

is getting found accordingly.
I'm myself not skilled enough getting something to work, but I tried:

Code: Select all

{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)"
,"level":2,"time":".*","method":"POST","url":"\/"}

This unfortunatly doesn't work.
In contrast, the one for 7.0.4 looked like that:

Code: Select all

{"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}

Maybe you can help, thank you in advance

MarkG
Newbie
Posts: 9
Joined: Mon Feb 09, 2015 10:48 pm
ownCloud version: 8.0.0
Webserver: Apache
Database: MySQL
OS: Linux
PHP version: 5.5

Re: fail2ban regex for Owncloud 8

Postby MarkG » Tue Feb 10, 2015 11:06 pm

Yikes! Thanks for the tip that fail2ban is broken. I just upgraded on Sunday and did not think to test that.

Chakalov
Newbie
Posts: 2
Joined: Wed Feb 11, 2015 12:01 am
ownCloud version: 8.0.2
Webserver: nginx
Database: MySQL
OS: Linux
Location: Sofia, Bulgaria

Re: fail2ban regex for Owncloud 8

Postby Chakalov » Wed Feb 11, 2015 12:03 am

Hi,

You were actually pretty close! Here's the working regex:

Code: Select all

{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}


At least that's working just fine with my new 8.0.0.2 version of ownCloud.

Let me know if it worked for you as well

MarkG
Newbie
Posts: 9
Joined: Mon Feb 09, 2015 10:48 pm
ownCloud version: 8.0.0
Webserver: Apache
Database: MySQL
OS: Linux
PHP version: 5.5

Re: fail2ban regex for Owncloud 8

Postby MarkG » Wed Feb 11, 2015 4:02 am

Iskear, thanks again for the heads up, and Chakalov, thank you for the fix!

I can confirm:
1) the regex that worked for fail2ban with 7.0.4 indeed failed with 8.0.0, and
2) the fix above works for me on ownCloud 8.0.0-5 with fail2ban 0.8.11 on Linux Mint 17.1.

iskear
Newbie
Posts: 2
Joined: Tue Feb 10, 2015 8:45 pm
ownCloud version: 8.0.0
Webserver: nginx
Database: MySQL
OS: Unknown
PHP version: latest

Re: fail2ban regex for Owncloud 8

Postby iskear » Wed Feb 11, 2015 7:52 pm

Thank you very much, I tested your filter and it worked!
Greatings, Iskear

Trevelian
Beginner
Posts: 12
Joined: Thu Mar 28, 2013 2:33 pm
ownCloud version: 8.0.0
Webserver: Apache
Database: MySQL
OS: Linux
PHP version: 5.4.37

Re: fail2ban regex for Owncloud 8

Postby Trevelian » Wed Feb 11, 2015 8:01 pm

Hello :)

failregex={.*Login failed:.*IP: '<HOST>',.*"}

Work for both version.

MarkG
Newbie
Posts: 9
Joined: Mon Feb 09, 2015 10:48 pm
ownCloud version: 8.0.0
Webserver: Apache
Database: MySQL
OS: Linux
PHP version: 5.5

Re: fail2ban regex for Owncloud 8

Postby MarkG » Wed Feb 11, 2015 11:32 pm

Trevelian wrote:Work for both version.
I prefer to be more specific, and not make things like DoS attacks too easy. With that regex, try logging with a userid like "IP: 'localhost'". HOST would be parsed out as localhost. In the log entries, the unfiltered user input userid immediately follows the "Login failed:" string.

artemicion
Starter
Posts: 51
Joined: Sat May 03, 2014 3:48 am
ownCloud version: 8.0.2
Webserver: Apache
Database: MySQL
OS: Linux

Re: fail2ban regex for Owncloud 8

Postby artemicion » Tue Mar 10, 2015 3:48 pm

Chakalov wrote:Hi,

You were actually pretty close! Here's the working regex:

Code: Select all

{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}


At least that's working just fine with my new 8.0.0.2 version of ownCloud.

Let me know if it worked for you as well


This got it working for me! Thank you! :)

RealRancor
ownCloud master
Posts: 17381
Joined: Sat May 26, 2012 3:00 pm
ownCloud version: 9.0.2
Webserver: nginx
Database: MySQL
OS: Linux
PHP version: 7.0.x

Re: fail2ban regex for Owncloud 8

Postby RealRancor » Wed May 27, 2015 10:04 am

Hi,

just an additional note:

If your server is not in UTC you need to specify the following in your config/config.php:

Code: Select all

'logtimezone' => 'Europe/Berlin',

(Replace Europe/Berlin with the matching one of your system)

Without this fail2ban won't detect failed logins as there is a time difference (in my case UTC -> CEST = 2h) and won't ban failed logins.
*gone*

stefe
Newbie
Posts: 6
Joined: Tue Mar 25, 2014 11:09 am
ownCloud version: 7.0.3
Webserver: Apache
Database: MySQL
OS: Linux Hosting Package
PHP version: 5.4

Re: fail2ban regex for Owncloud 8

Postby stefe » Tue Jul 07, 2015 10:55 pm

I think for 8.1 thre is a new regex:

Code: Select all

{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}


But why is in my logfile a " ' " missing at the end of the ip adress?


  • Similar Topics
    Replies
    Views
    Last post

Return to “ownCloud Server 8.0 and 8.1”

Who is online

Users browsing this forum: No registered users and 2 guests