Announcement

Collapse
No announcement yet.

Fail2ban and App Suite

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fail2ban and App Suite

    Hi,

    did anyone install fail2ban for App Suite ? Somehow fail2ban does not want to work for me .
    I would be very grateful for any tip.

    Thanks

    OS: Centos 7
    fail2ban-0.9.2

    1. Logfile
    --------------
    2015-07-29T17:55:38,832+0200 ERROR [OXWorker-0001250] com.openexchange.ajax.login.AbstractLoginRequestHa ndler.loginOperation(AbstractLoginRequestHandler.j ava:328)

    com.openexchange.ajax.action=login
    com.openexchange.ajax.module=login
    com.openexchange.grizzly.queryString=<none>
    com.openexchange.grizzly.remoteAddress=10.0.23.6
    -------------

    2. Filter
    cat filter.d/open-xchange.conf
    --------------------------------
    [Init]
    maxlines = 5

    [Definition]
    failregex = ^(.*) ERROR \[OXWorker-.*\] com.openexchange.ajax.login.*\n com.openexchange.ajax.action=login\n
    com.openexchange.ajax.module=login\n com.openexchange.grizzly.queryString=<none>\n
    com.openexchange.grizzly.remoteAddress=<HOST>$
    ignoreregex =
    -----------------------------

    3. Jail
    cat jail.d/open-xchange.local
    ----------------------------
    [open-xchange]
    enabled = true
    filter = open-xchange
    port = https
    logpath = /var/log/open-xchange/open-xchange.log.0
    bantime = 1800

    4. test
    ----------------
    fail2ban-regex /var/log/open-xchange/open-xchange.log.0 /etc/fail2ban/filter.d/open-xchange.conf -v
    ----------------
    Running tests
    =============

    Use failregex filter file : open-xchange, basedir: /etc/fail2ban
    Use maxlines : 5
    Use log file : /var/log/open-xchange/open-xchange.log.0
    Use encoding : UTF-8


    Results
    =======

    Failregex: 76 total
    |- #) [# of hits] regular expression
    | 1) [76] ^(.*) ERROR \[OXWorker-.*\] com.openexchange.ajax.login.*\n com.openexchange.ajax.action=login\n com.openexchange.ajax.module=login\n com.openexchange.grizzly.queryString=<none>\n com.openexchange.grizzly.remoteAddress=<HOST>$
    | 10.0.23.6 Wed Jul 29 12:18:30 2015
    .............................................
    | 192.168.2.155 Sun Aug 02 15:55:05 2015
    | 192.168.2.155 Sun Aug 02 15:55:06 2015
    | 192.168.2.155 Sun Aug 02 15:55:07 2015
    | 192.168.2.155 Sun Aug 02 15:55:07 2015
    | 192.168.2.155 Sun Aug 02 15:55:15 2015
    | 192.168.2.155 Sun Aug 02 15:55:22 2015
    | 192.168.2.155 Sun Aug 02 15:55:24 2015
    | 192.168.2.155 Sun Aug 02 15:55:25 2015
    | 192.168.2.155 Sun Aug 02 15:55:32 2015
    | 192.168.2.155 Sun Aug 02 15:55:33 2015
    | 192.168.2.155 Sun Aug 02 15:55:34 2015
    `-

    Ignoreregex: 0 total

    Date template hits:
    |- [# of hits] date format
    | [3501] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
    | [0] (?AY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
    | [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
    | [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
    | [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
    | [0] Month/Day/Year:24hour:Minute:Second
    | [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
    | [0] TAI64N
    | [0] Epoch
    | [0] ^24hour:Minute:Second
    | [0] ^<Month/Day/Year2@24hour:Minute:Second>
    | [0] ^Year2MonthDay ?24hour:Minute:Second
    | [0] MON Day, Year 12hour:Minute:Second AMPM
    | [0] ^MON-Day-Year2 24hour:Minute:Second
    `-

  • #2
    gibt es da schon eine Loesung?

    Die anderen Dienste (smtp, imap(s)) zu sichern ist mit fail2ban ja kein Problem. aber so richtig sinnvoll lesbar ist das open-xchange.log.0 ja nicht wirklich. Hat jemand da einen regex fuer? Oder gibt es eine elegante Methode, das anders zu loesen?

    Ich habe erstmal die HTTPS-Connections versucht zu limitieren, aber besonders mit Chrome werden die User damit sehr schnell gesperrt

    Comment

    Working...
    X