Code-server: Fail2Ban Sample Configuration is Outdated

Created on 14 Nov 2019 · 3Comments · Source: cdr/code-server

Description

The provided fail2ban configuration is outdated and does not work. The format of the access log has apparently been changed.

This is what an entry on the access log looks like:

Failed login attempt {"remoteAddress":"::ffff:127.0.0.1","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0","timestamp":1573554454}

This does not match with the fail regex provided in the sample fail2ban configuration:

failregex = ^INFO\s+Failed login attempt\s+{\"password\":\"(\\.|[^"])*\",\"remoteAddress\":\"<HOST>\"
datepattern = "timestamp":{EPOCH}}$

I have attempted to modify the fail regex for the new log format but have not been able to get the syntax correct. My regex is the following:

failregex=^Failed login attempt {\"remoteAddress\":\"<HOST>\"
datepattern = "timestamp":{EPOCH}}$

I am unable to get a match when testing with fail2ban-regex.

question

Source

61214577

All 3 comments

@61214577 Instead of opening an issue, kindly make a PR for this instead. Thanks.

sr229 on 14 Nov 2019

👍1

Ah right the format changed. Your regex looks like it should match the
new format: https://regex101.com/r/4dnbf2/1

I'm not very familiar with fail2ban; is it possible is choking on
the IPv6 address?

code-asher on 14 Nov 2019

This had to do with Ubuntu's apt providing an older version of fail2ban. Support for the type of datepattern regex used in the code-server configuration was added in the v0.10. Installing the latest release from the fail2ban github repo fixed the issue.

61214577 on 6 Dec 2019

🎉1

Was this page helpful?

0 / 5 - 0 ratings