Comments (7)
the error log can not be changed in nginx and it always adds a timestamp to the error message
Imho, it depends on how the log-forwarding to syslog in configured.
Changing the start of the expression from ^\s*[error] to ^.*[error] resolves this problem and the filter matches.
This is ugly workaround, since the RE becomes vulnerable due to broken anchor - because ^.*
is quasi the same as if it were missing, so no anchor anymore and REs may match everywhere (also against a user input with an "injection" attempt), additionally it becomes very slow, especially on long messages, since it must search the whole message.
Anyway for people having that format here is interim workaround:
- mdre-auth = ^\s*\[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
+ mdre-auth = ^\s*(?:(?!\[)\S+ nginx\[\d+\]: [^\[]*)?\[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
- mdre-fallback = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>
+ mdre-fallback = ^\s*(?:(?!\[)\S+ nginx\[\d+\]: [^\[]*)?\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>
(part (?:(?!\[)\S+ nginx\[\d+\]: [^\[]*)?
would optionally match systemd prefix with also optional additional timestamp)
from fail2ban.
Thanks a lot for the quick resolution. I suspected that my workaround is a dirty hack.
from fail2ban.
mdre-fallback = ^\s*(?:(?!\[)\S+ nginx\[\d+\]: [^\[]*)?\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>
Ive apply but always same it return 228 missed... any suggestion?
Debian 11
Fail2ban 0.11.2
from fail2ban.
People... nobody can provide any suggestions, if you give zero info.
In order to help you, we need at least one "missed" message you complain about...
Try it with:
fail2ban-regex --print-all-missed systemd-journal 'nginx-http-auth[mode=aggressive]'
and provide few lines that are still missed by filter as an example.
from fail2ban.
from fail2ban.
It doesn't look to me that your nginx writes the error-log to systemd journal - there is no one message which should be matched by filter. I see only warnings or start emergency-messages (throwed by start of nginx-unit per worker), nothing else.
If you mean it must be really systemd journal, try to find out (with journalctl
in json output) which tags it uses exactly, current filter use _SYSTEMD_UNIT=nginx.service + _COMM=nginx
.
For instance:
journalctl -o json | grep nginx
(or something similar)
If not (errorlog is a file) - you must use backend = auto
and set proper logpath
for this jail.
from fail2ban.
ok ok will check later, too many result with journalctl -o json | grep nginx... no time for check all now xD
Thanks for helped me!
from fail2ban.
Related Issues (20)
- [RFE]: Change cloudflare.conf to use WAF Custom Rules rather than Firewall Access Rules due to deprecation
- [BR]: basic setup fail HOT 2
- Not working filter apache logs HOT 1
- [FR]: qbittorrent-nox HOT 8
- [BR]: README.md typos
- Fail2ban - Raspberry Pi5 64bit Bookworm - not working as expected, not reading systemd logs? HOT 6
- [FR]: Ubuntu 22.04.4 LTS fail2ban Unable to match some authentication failure logs HOT 4
- [BR]: Test testStatusStats fails with 1.1.0 on Fedora Rawhide HOT 10
- Help Needed: Creating Fail2ban Filter for Exchange Autodiscover Failed Login Attempts HOT 1
- [BR]: installing fail2ban on ubuntu 24.04 with apt-get showing errors and is not starting HOT 2
- [BR]: ERROR No module named 'asynchat' on Ubuntu 24.04 HOT 5
- [FR]: Wordpress Fail2ban filter not processing authentication failures on Debian bookworm HOT 7
- [BR]:The jail set in the configuration file is not loaded HOT 6
- >Jail not being loaded issue HOT 2
- Failed to execute ban HOT 8
- [RFE]: Extend ignoreip to cater for dynamic IP scenarios by resolving FDNs assigned HOT 1
- [BR]: Can't start fail2ban service on Ubuntu 24.04 HOT 1
- [BR]: You can use root commands HOT 2
- [BR]: Python 3.12 shows DeprecationWarning about use of os.fork() HOT 1
- [FR]: SNMPv3 filters for Unknown User, Bad AUTH password and PRIV password, multiline, mutiple filters HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fail2ban.