5

Is it possible to catch authentication failure on multiple line with fail2ban regex?

Here is the example :

Sep 08 11:54:59.207814 afpd[16190] {dsi_tcp.c:241} (I:DSI): AFP/TCP session from 10.0.71.149:53863
Sep 08 11:54:59.209504 afpd[16190] {uams_dhx2_pam.c:329} (I:UAMS): DHX2 login: thierry
Sep 08 11:54:59.272092 afpd[16190] {uams_dhx2_pam.c:214} (I:UAMS): PAM DHX2: PAM Success
Sep 08 11:55:01.522258 afpd[16190] {uams_dhx2_pam.c:666} (I:UAMS): DHX2: PAM_Error: Authentication failure

Thanks

Donal
  • 31,121
  • 10
  • 63
  • 72
bonnemais
  • 51
  • 1
  • 3

2 Answers2

7

Yeah sure, fail2ban uses python regex with the multiline option. In your case, try:

"afpd\[[0-9]+\] {dsi_tcp.c:241} \(I:DSI\): AFP/TCP session from <HOST>:[0-9]+\n.*afpd\[[0-9]+\] {uams_dhx2_pam.c:[0-9]+}.*\n.*afpd\[[0-9]+\] {uams_dhx2_pam.c:[0-9]+}.*\n.*afpd\[[0-9]+\] {uams_dhx2_pam.c:[0-9]+}.*PAM_Error: Authentication failure"

As you can see, you just have to put \n where needed. Don't forgot to set the maxlines option to 4 in your case, so that fail2ban uses 4 lines to match the regex. Your filter file should look something like:

[Init]
maxlines = 4

[Definition]

failregex = "afpd\[[0-9]+\] {dsi_tcp.c:241} \(I:DSI\): AFP/TCP session from <HOST>:[0-9]+\n.*afpd\[[0-9]+\] {uams_dhx2_pam.c:[0-9]+}.*\n.*afpd\[[0-9]+\] {uams_dhx2_pam.c:[0-9]+}.*\n.*afpd\[[0-9]+\] {uams_dhx2_pam.c:[0-9]+}.*PAM_Error: Authentication failure"

ignoreregex =

Use fail2ban-regex to test your regex.

wpoely86
  • 376
  • 2
  • 8
1

Was just looking for a solution for the same problem - but I think that answer given by wpoely86 can lead to blocking innocent IPs - if there are multiple IPs connecting at more or less the same time.

Sep 08 11:54:59.207814 afpd[16190] {dsi_tcp.c:241} (I:DSI): AFP/TCP session from 10.0.71.149:53863
Sep 08 11:54:59.207815 afpd[99999] {dsi_tcp.c:241} (I:DSI): AFP/TCP session from 10.10.10.10:53864
Sep 08 11:54:59.209504 afpd[16190] {uams_dhx2_pam.c:329} (I:UAMS): DHX2 login: thierry
Sep 08 11:54:59.272092 afpd[16190] {uams_dhx2_pam.c:214} (I:UAMS): PAM DHX2: PAM Success
Sep 08 11:55:01.522258 afpd[16190] {uams_dhx2_pam.c:666} (I:UAMS): DHX2: PAM_Error: Authentication failure
Sep 08 11:55:01.522258 afpd[99999] {uams_dhx2_pam.c:666} (I:UAMS): DHX2: PAM_success: Authentication succeeded

Above, the offending connection came from 10.0.71.149. However, the regex would block 10.10.10.10. In other words, the regex would need to distinguish between afpd[99999] and afpd[16190] (which identify the PID of the afpd process).

Tomasz Chmielewski
  • 41
  • 4