fail2ban regexps for synapse

[mehturt]

Is it possible to define some fail2ban regexps that one could use to protect his synapse instance? www.fail2ban.org

[mehturt]

I've investigated this myself but it seems my (Debian jessie) fail2ban version 0.8.13 does not support multiline regexps, that would be most likely needed here, e.g.:

2016-10-06 11:33:28,486 - synapse.access.https.8448 - 59 - INFO - POST-1- 11.22.33.44 - 8448 - Received request: POST /_matrix/client/api/v1/login
2016-10-06 11:33:29,009 - synapse.handlers.auth - 504 - WARNING - POST-1- Failed password login for user @user:host

[anmol26s]

I don't see this line on failed attempts 2016-10-06 11:33:29,009 - synapse.handlers.auth - 504 - WARNING - POST-1- Failed password login for user @user:host It would be great if fail2ban can be implemented for security reason.

[immanuelfodor]

Is fail2ban really needed when there are options for rate limiting in the config file?

I'm looking for the same answer, this is how I found the issue.

[immanuelfodor]

There is a multi-line regexp implemented here: https://www.ard-site.net/tutorials/linux/matrix-synapse-fail2ban-filter

[deepakvamsi]

updated regex for fail2ban filter

[Definition]

failregex = ^.INFO - POST(.?) - -. (403|404) "POST \/_matrix\/client\/r0\/login.

The above regex will work when status 403 and 404 are triggered

check your regex with below command fail2ban-regex "logline" "your_regex"

Example: fail2ban-regex '2022-08-10 09:33:23,598 - synapse.access.https.8108 - 450 - INFO - POST-1836 - 192.168.1.11 - 8448 - {None} Processed request: 0.336sec/0.001sec (0.332sec, 0.000sec) (0.001sec/0.003sec/1) 64B 403 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36" [0 dbevts]' '^.*INFO - POST(.*?) - <HOST> -.* (403|404) "POST \/_matrix\/client\/r0\/login.*'