Open mehturt opened 8 years ago
I've investigated this myself but it seems my (Debian jessie) fail2ban version 0.8.13 does not support multiline regexps, that would be most likely needed here, e.g.:
2016-10-06 11:33:28,486 - synapse.access.https.8448 - 59 - INFO - POST-1- 11.22.33.44 - 8448 - Received request: POST /_matrix/client/api/v1/login
2016-10-06 11:33:29,009 - synapse.handlers.auth - 504 - WARNING - POST-1- Failed password login for user @user:host
I don't see this line on failed attempts
2016-10-06 11:33:29,009 - synapse.handlers.auth - 504 - WARNING - POST-1- Failed password login for user @user:host
It would be great if fail2ban can be implemented for security reason.
Is fail2ban really needed when there are options for rate limiting in the config file?
I'm looking for the same answer, this is how I found the issue.
There is a multi-line regexp implemented here: https://www.ard-site.net/tutorials/linux/matrix-synapse-fail2ban-filter
updated regex for fail2ban filter
[Definition]
failregex = ^.INFO - POST(.?) -
The above regex will work when status 403 and 404 are triggered
check your regex with below command
fail2ban-regex "logline" "your_regex"
Example:
fail2ban-regex '2022-08-10 09:33:23,598 - synapse.access.https.8108 - 450 - INFO - POST-1836 - 192.168.1.11 - 8448 - {None} Processed request: 0.336sec/0.001sec (0.332sec, 0.000sec) (0.001sec/0.003sec/1) 64B 403 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36" [0 dbevts]' '^.*INFO - POST(.*?) - <HOST> -.* (403|404) "POST \/_matrix\/client\/r0\/login.*'
Is it possible to define some fail2ban regexps that one could use to protect his synapse instance? www.fail2ban.org