Fail2ban: Help needed with fail2ban-regex guacamole docker logs

Created on 24 Nov 2020  Â·  6Comments  Â·  Source: fail2ban/fail2ban

General Information:
Distribution: Ubuntu 18.04
Fail2Ban v0.10.2

Environment:

_Fill out and check ([x]) the boxes which apply. If your Fail2Ban version is outdated,
and you can't verify that the issue persists in the recent release, better seek support
from the distribution you obtained Fail2Ban from_

  • Fail2Ban version (including any possible distribution suffixes):
  • OS, including release name/version:
  • [X] Fail2Ban installed via OS/distribution mechanisms
  • [ ] You have not applied any additional foreign patches to the codebase
  • [ ] Some customizations were done to the configuration (provide details below is so)

my problem:

Dear sebres,
I leand a lot the last 3 days about shell scripting :)
But regex syntax is really strange stuff; I don't understand how it works.

There are view limitations now with this WAF product and I need to activate my good old guacamole containers.
This is how the log looks like:

{"log":"12:59:14.168 [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user \"admin\" failed.\n","stream":"stdout","time":"2020-11-22T11:59:14.168982605Z"}
{"log":"12:59:15.477 [http-nio-8080-exec-9] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user \"admin\" failed.\n","stream":"stdout","time":"2020-11-22T11:59:15.477692225Z"}

Step1;Starting simple - Helpful: https://github.com/fail2ban/fail2ban/issues/2645#issuecomment-592032811

Works!

fail2ban-regex -v \
'19:48:16.995 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user "dfg" failed.' \
'\b[Aa]uthentication attempt from \[<HOST>(?:,[^\]]*)?\] (?:for user (?:"[^"]*" )?)?failed\.\s*$'

Step2; Add datepattern; Helpful https://github.com/fail2ban/fail2ban/issues/2592#issuecomment-573119939

Failed :(

fail2ban-regex -v \
--datepattern='^\{"log":"%%H:%%M:%%S\.%%f+\s+' \
'"log":"19:48:16.995 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user "dfg" failed."' \
'\b[Aa]uthentication attempt from \[<HOST>(?:,[^\]]*)?\] (?:for user (?:"[^"]*" )?)?failed\.\s*$'

And using the full log string incl. „n","stream":"stdout","time":"2020-11-22T11:59:15.477692225Z"“ Step1 also return NULL matches.
Could you please help me here a second time?

how-to
Source
picture 4Syno

All 6 comments

You have to escape % as %% in config files only (e. g. in filter or jail), in command line it must be still single character, so 

-fail2ban-regex -v --datepattern='^\{"log":"%%H:%%M:%%S\.%%f+\s+' ...
+fail2ban-regex -v --datepattern='^\{"log":"%H:%M:%S\.%f+\s+' ...

as for RE, your (second) variant would not work (also with correct datepattern), because your message does not end with failed. (due to end-anchor $ in failed\.\s*$), so the regex can be applied to the content of value in "log":"value" but not to whole message, which looks json similar and contains more data, enclosed in some structure and escaped differently (e. g. note backslash in for user \"...).

I would do something like this:

$ msg='{"log":"12:59:14.168 [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user \"admin\" failed.\n","stream":"stdout","time":"2020-11-22T11:59:14.168982605Z"}'
$ dp=',"time"\s*:\s*"%Y-%m-%dT%H:%M:%S\.%f\d*%z"\}$'
$ re='^\{"log"\s*:\s*"\S+\s+\[[^\]]+\]\s+WARN\s+\S+\s+-\s+[Aa]uthentication attempt from \[<ADDR>(?:,[^\]]*)?\] (?:for user (?:\\"<F-USER>[^"]*</F-USER>\\" )?)?failed\.'

$ fail2ban-regex -v --datepattern="$dp" "$msg" "$re"
...
Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^\{"log"\s*:\s*"\S+\s+\[[^\]]+\]\s+WARN\s+\S+\s+-\s+[Aa]uthentication attempt from \[<ADDR>(?:,[^\]]*)?\] (?:for user (?:\\"<F-USER>[^"]*</F-USER>\\" )?)?failed\.
|      192.168.8.5  Sun Nov 22 12:59:14 2020
`-
...
Date template hits:
|- [# of hits] date format
|  [1] ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone offset"\}$
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed

# newer version can output found failure data (rows):
$ fail2ban-regex -o row --datepattern="$dp" "$msg" "$re"
['192.168.8.5', 1606046354,   {'ip6': None, 'user': 'admin', 'ip4': '192.168.8.5'}],

This is more distinctive, anchored from start, and using datepattern for more precise timestamp with date (in UTC, at end of log).
Also note that fail2ban cuts a part of message matching datepattern out before the search for failregex starting.

sebres picture sebres on 24 Nov 2020
👍1

A slight error has crept in above (I updated the message) - to recognize Z (sign for GMT), one should use zone offset token (%z) instead of zone name token %Z):

-dp=',"time"\s*:\s*"%Y-%m-%dT%H:%M:%S\.%f\d*%Z"\}$'
+dp=',"time"\s*:\s*"%Y-%m-%dT%H:%M:%S\.%f\d*%z"\}$'
...
-|      192.168.8.5  Sun Nov 22 11:59:14 2020
+|      192.168.8.5  Sun Nov 22 12:59:14 2020
...
-|  [1] ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone name"\}$
+|  [1] ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone offset"\}$
sebres picture sebres on 24 Nov 2020
👍1

Thank you!
Got it up and running with your help, really awesome!

Add your advice:
fail2ban.datedetector [20911]: INFO date pattern ',"time"\\s*:\\s*"%Y-%m-%dT%H:%M:%S\\.%f\\d*%z"\\}$': ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone offset"\}$

One last question; I want to reduce coming workload for fail2ban.filter :)
I thought its a good idea to define the logpath best I can. ( Container Update ( id changes etc. Is not the case here)

Fromlogpath = /media/data/docker/containers/*/*-json.log to
logpath = /media/data/docker/containers/5e2543bbe77a52ff310073fdfb4183fa3fda6a3dd98294b48a081517baa20eb4/5e2543bbe77a52ff310073fdfb4183fa3fda6a3dd98294b48a081517baa20eb4-json.log \

This runs in an error;
Something I can do ?

4Syno picture 4Syno on 24 Nov 2020

I want to reduce coming workload for fail2ban.filter
I thought its a good idea to define the logpath best I can.

Not really. Because currently fail2ban doing the glob interpolation and search only once by start-up (there is an issue #1379 and a lot of some experimental branches which are not yet merged in core).
So your attempt changing nothing.

Something I can do ?

yes, remove trailing backslash \ after .log :)
(optional) second parameter on every logpath can be either head or tail.

sebres picture sebres on 24 Nov 2020

Once again: Thank you!
Das Bier geht auf mich!

4Syno picture 4Syno on 24 Nov 2020

Thank you!!! Appreciated!
(wenn es das Bier sein sollte, lass ich es mir schmecken... aber ich befürchte, situationsbedingt, es wird eher irgendein Buch, oder eben zwei;)
Nochmals danke!

sebres picture sebres on 24 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

TommyFrass picture TommyFrass  Â·  5Comments
gaia picture gaia  Â·  3Comments
jakoch picture jakoch  Â·  3Comments
xtrmbuster picture xtrmbuster  Â·  3Comments
Skyridr picture Skyridr  Â·  3Comments