Tweet
Fail2ban and App Suite
Hi,
did anyone install fail2ban for App Suite ? Somehow fail2ban does not want to work for me .
I would be very grateful for any tip.
Thanks
OS: Centos 7
fail2ban-0.9.2
1. Logfile
--------------
2015-07-29T17:55:38,832+0200 ERROR [OXWorker-0001250] com.openexchange.ajax.login.AbstractLoginRequestHa ndler.loginOperation(AbstractLoginRequestHandler.j ava:328)
com.openexchange.ajax.action=login
com.openexchange.ajax.module=login
com.openexchange.grizzly.queryString=<none>
com.openexchange.grizzly.remoteAddress=10.0.23.6
-------------
2. Filter
cat filter.d/open-xchange.conf
--------------------------------
[Init]
maxlines = 5
[Definition]
failregex = ^(.*) ERROR \[OXWorker-.*\] com.openexchange.ajax.login.*\n com.openexchange.ajax.action=login\n
com.openexchange.ajax.module=login\n com.openexchange.grizzly.queryString=<none>\n
com.openexchange.grizzly.remoteAddress=<HOST>$
ignoreregex =
-----------------------------
3. Jail
cat jail.d/open-xchange.local
----------------------------
[open-xchange]
enabled = true
filter = open-xchange
port = https
logpath = /var/log/open-xchange/open-xchange.log.0
bantime = 1800
4. test
----------------
fail2ban-regex /var/log/open-xchange/open-xchange.log.0 /etc/fail2ban/filter.d/open-xchange.conf -v
----------------
Running tests
=============
Use failregex filter file : open-xchange, basedir: /etc/fail2ban
Use maxlines : 5
Use log file : /var/log/open-xchange/open-xchange.log.0
Use encoding : UTF-8
Results
=======
Failregex: 76 total
|- #) [# of hits] regular expression
| 1) [76] ^(.*) ERROR \[OXWorker-.*\] com.openexchange.ajax.login.*\n com.openexchange.ajax.action=login\n com.openexchange.ajax.module=login\n com.openexchange.grizzly.queryString=<none>\n com.openexchange.grizzly.remoteAddress=<HOST>$
| 10.0.23.6 Wed Jul 29 12:18:30 2015
.............................................
| 192.168.2.155 Sun Aug 02 15:55:05 2015
| 192.168.2.155 Sun Aug 02 15:55:06 2015
| 192.168.2.155 Sun Aug 02 15:55:07 2015
| 192.168.2.155 Sun Aug 02 15:55:07 2015
| 192.168.2.155 Sun Aug 02 15:55:15 2015
| 192.168.2.155 Sun Aug 02 15:55:22 2015
| 192.168.2.155 Sun Aug 02 15:55:24 2015
| 192.168.2.155 Sun Aug 02 15:55:25 2015
| 192.168.2.155 Sun Aug 02 15:55:32 2015
| 192.168.2.155 Sun Aug 02 15:55:33 2015
| 192.168.2.155 Sun Aug 02 15:55:34 2015
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [3501] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
| [0] (?
AY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
| [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
| [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] Month/Day/Year:24hour:Minute:Second
| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
| [0] TAI64N
| [0] Epoch
| [0] ^24hour:Minute:Second
| [0] ^<Month/Day/Year2@24hour:Minute:Second>
| [0] ^Year2MonthDay ?24hour:Minute:Second
| [0] MON Day, Year 12hour:Minute:Second AMPM
| [0] ^MON-Day-Year2 24hour:Minute:Second
`-
did anyone install fail2ban for App Suite ? Somehow fail2ban does not want to work for me .
I would be very grateful for any tip.
Thanks
OS: Centos 7
fail2ban-0.9.2
1. Logfile
--------------
2015-07-29T17:55:38,832+0200 ERROR [OXWorker-0001250] com.openexchange.ajax.login.AbstractLoginRequestHa ndler.loginOperation(AbstractLoginRequestHandler.j ava:328)
com.openexchange.ajax.action=login
com.openexchange.ajax.module=login
com.openexchange.grizzly.queryString=<none>
com.openexchange.grizzly.remoteAddress=10.0.23.6
-------------
2. Filter
cat filter.d/open-xchange.conf
--------------------------------
[Init]
maxlines = 5
[Definition]
failregex = ^(.*) ERROR \[OXWorker-.*\] com.openexchange.ajax.login.*\n com.openexchange.ajax.action=login\n
com.openexchange.ajax.module=login\n com.openexchange.grizzly.queryString=<none>\n
com.openexchange.grizzly.remoteAddress=<HOST>$
ignoreregex =
-----------------------------
3. Jail
cat jail.d/open-xchange.local
----------------------------
[open-xchange]
enabled = true
filter = open-xchange
port = https
logpath = /var/log/open-xchange/open-xchange.log.0
bantime = 1800
4. test
----------------
fail2ban-regex /var/log/open-xchange/open-xchange.log.0 /etc/fail2ban/filter.d/open-xchange.conf -v
----------------
Running tests
=============
Use failregex filter file : open-xchange, basedir: /etc/fail2ban
Use maxlines : 5
Use log file : /var/log/open-xchange/open-xchange.log.0
Use encoding : UTF-8
Results
=======
Failregex: 76 total
|- #) [# of hits] regular expression
| 1) [76] ^(.*) ERROR \[OXWorker-.*\] com.openexchange.ajax.login.*\n com.openexchange.ajax.action=login\n com.openexchange.ajax.module=login\n com.openexchange.grizzly.queryString=<none>\n com.openexchange.grizzly.remoteAddress=<HOST>$
| 10.0.23.6 Wed Jul 29 12:18:30 2015
.............................................
| 192.168.2.155 Sun Aug 02 15:55:05 2015
| 192.168.2.155 Sun Aug 02 15:55:06 2015
| 192.168.2.155 Sun Aug 02 15:55:07 2015
| 192.168.2.155 Sun Aug 02 15:55:07 2015
| 192.168.2.155 Sun Aug 02 15:55:15 2015
| 192.168.2.155 Sun Aug 02 15:55:22 2015
| 192.168.2.155 Sun Aug 02 15:55:24 2015
| 192.168.2.155 Sun Aug 02 15:55:25 2015
| 192.168.2.155 Sun Aug 02 15:55:32 2015
| 192.168.2.155 Sun Aug 02 15:55:33 2015
| 192.168.2.155 Sun Aug 02 15:55:34 2015
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [3501] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
| [0] (?
AY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?| [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
| [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] Month/Day/Year:24hour:Minute:Second
| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
| [0] TAI64N
| [0] Epoch
| [0] ^24hour:Minute:Second
| [0] ^<Month/Day/Year2@24hour:Minute:Second>
| [0] ^Year2MonthDay ?24hour:Minute:Second
| [0] MON Day, Year 12hour:Minute:Second AMPM
| [0] ^MON-Day-Year2 24hour:Minute:Second
`-
Comment