Fail2ban and OC 10

ruuskil · 2017-05-20 15:42:15 UTC

Hi.

I've been using fail2ban since version 8x to harden my server. Now after upgrading to version 10 my f2b has stopped working. My understanding is there has been some change in owncloud logging syntax in OC 10. Can someone tell me how to change my f2b configuration so it understands OC10?

My current .conf for fail2ban is like this

failregex={"reqId":".","remoteAddr":"","app":"core","message":"Login failed: .","level":2,"time":".*"}

How should I change it?

anon81984126 · 2017-05-20 16:08:59 UTC

Your failregex is not quite correct from what i can see and doesn't match the ones for 8.x and 9.x provided at [1]. In oC 10.0 only the order of the entries changed [2], [3] so it should be easy to apply those changes to the failregex listed at [1] and just re-order the failregex to match the new syntax / order.

[1]

[2]

github.com/owncloud/core

Issue: Reorder the elements of the log entries to make the logs easier to read

opened by jvillafanez on 2017-03-16

closed by PVince81 on 2017-04-04

This is a current log entry:
{"reqId":"Q71WK4Sp6B03QqpOoxit","remoteAddr":"173.18.243.1","app":"core","message":"Generating preview for \"\/xxxx\/yyyy\/zzzz\/0000.txt\" with \"OC\\Preview\\TXT\"","level":0,"time":"2017-03-13T09:15:10-07:00","method":"GET","url":"\/index.php\/core\/preview.png?file=%2Fxxxx%2Fyyyyy%2Fzzzzz%2F0000.txt&c=589c9d17172bc&x=32&y=32&forceIcon=0","user":"mbs"}
The new log entry should look like the following:
{"reqId":"Q71WK4Sp6B03QqpOoxit","level":0,"time":"2017-03-13T09:15:10-07:00","remoteAddr":"173.18.243.1","user":"mbs","app":"core","method":"GET","url":"\/index.php\/core\/preview.png?file=%2Fxxxxx%2Fyyyyy%2Fzzzz%2F0000.txt&c=589c9d17172bc&x=32&y=32&forceIcon=0","message":"Generating preview for...

enhancement junior job

[3]

ruuskil · 2017-05-21 05:25:25 UTC

Thanks, got it working! My syntax is now like this:

[Definition]
failregex={"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":"core","method":"POST","url":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)"}

anon81984126 · 2017-05-21 14:59:40 UTC

Nice. Some one seems to also have already picked this up for the documentation: