Open ArthurMitchell42 opened 1 year ago
Hi, monitoring the Traefik log I have an example of a successful ban and a missed ban. I suspect the regex in the filter.d traefik-auth file is not catching the lines. The example log file lines are:
188.95.55.5 - 11111 [05/Nov/2022:22:36:54 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 295 "whoami-1@file" "-" 0ms 188.95.55.5 - 222222 [05/Nov/2022:22:36:59 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 297 "whoami-1@file" "-" 0ms 188.95.55.5 - 33333 [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 298 "whoami-1@file" "-" 0ms 188.95.55.5 - - [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 299 "whoami-1@file" "-" 0ms 185.212.111.150 - - [05/Nov/2022:22:45:11 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 316 "webdav@file" "https://10.0.10.10/:5006" 15ms 185.212.111.150 - - [05/Nov/2022:22:45:28 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 317 "webdav@file" "https://10.0.10.10/:5006" 5510ms 185.212.111.150 - - [05/Nov/2022:22:45:42 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 318 "webdav@file" "https://10.0.10.10/:5006" 5291ms 185.212.111.150 - - [05/Nov/2022:22:45:53 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 320 "webdav@file" "https://10.0.10.10/:5006" 4070ms 185.212.111.150 - - [05/Nov/2022:22:45:57 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 321 "webdav@file" "https://10.0.10.10/:5006" 6ms
In the above example the IP address 188.95.55.5 is caught and banned but 185.212.111.150 is not caught.
Running in docker under Ubuntu 22.04
jail.local: [DEFAULT] ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
destemail = a@m.com sendername = Fail2ban sender = a@m.com mta = sendmail
bantime.increment = true bantime.maxtime = 4w bantime.factor = 24 bantime = 1h findtime = 24h maxretry = 3
action = %(action_mw)s
[traefik-auth] enabled = true chain = INPUT
2022-11-05 22:36:54,404 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:54 2022-11-05 22:36:59,622 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:59 2022-11-05 22:37:04,235 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:37:04 2022-11-05 22:37:04,263 FFFF8130BB20 NOTIC [traefik-auth] Ban 188.95.55.5
N/A
Would it be possible to maybe upgate the regex to catch this test intrusion please?
188.95.55.5 - 11111 [05/Nov/2022:22:36:54 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 295 "whoami-1@file" "-" 0ms 188.95.55.5 - 222222 [05/Nov/2022:22:36:59 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 297 "whoami-1@file" "-" 0ms 188.95.55.5 - 33333 [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 298 "whoami-1@file" "-" 0ms 188.95.55.5 - - [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 299 "whoami-1@file" "-" 0ms 185.212.111.150 - - [05/Nov/2022:22:45:11 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 316 "webdav@file" "https://10.0.10.10/:5006" 15ms 185.212.111.150 - - [05/Nov/2022:22:45:28 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 317 "webdav@file" "https://10.0.10.10/:5006" 5510ms 185.212.111.150 - - [05/Nov/2022:22:45:42 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 318 "webdav@file" "https://10.0.10.10/:5006" 5291ms 185.212.111.150 - - [05/Nov/2022:22:45:53 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 320 "webdav@file" "https://10.0.10.10/:5006" 4070ms 185.212.111.150 - - [05/Nov/2022:22:45:57 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 321 "webdav@file" "https://10.0.10.10/:5006" 6ms
In the above example the IP address 188.95.55.5 is caught and banned but 185.212.111.150 is not caught.
Running in docker under Ubuntu 22.04
jail.local: [DEFAULT] ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
destemail = a@m.com sendername = Fail2ban sender = a@m.com mta = sendmail
bantime.increment = true bantime.maxtime = 4w bantime.factor = 24 bantime = 1h findtime = 24h maxretry = 3
action = %(action_mw)s
[traefik-auth] enabled = true chain = INPUT
Log file output
2022-11-05 22:36:54,404 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:54 2022-11-05 22:36:59,622 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:59 2022-11-05 22:37:04,235 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:37:04 2022-11-05 22:37:04,263 FFFF8130BB20 NOTIC [traefik-auth] Ban 188.95.55.5
N/A
Would it be possible to maybe upgate the regex to catch this test intrusion please?
Thanks, team linuxserver.io