Fail2ban, failregex request for Matrix(synapse) [Solved]

[b0n3v]

I try to run fail2ban to protect my Matrix from bruteforce login. I already found some "failregex" but don't work...

What i found:

1. This broke fail2ban - ERROR NOK: ("Unable to compile regular expression....

failregex = ^.+ - INFO - POST-.- - 8008 - Received request: POST /_matrix/client/r0/login?+.+ - INFO - POST-.- Got login request with identifier: {u'type': u'm.id.user', u'user': u'(.+?)'}, medium: None, address: None, user: u'.'+.+WARNING - - (Attempted to login as @. but they do not exist|Failed password login for user @.*)$`

2. don't work...

failregex = .*synapse.*8008.*\n.*synapse.*8008.*None - <HOST> - 8008.*403.*

3. don't work...

failregex = .*::ffff:<HOST> - 8448 - Received request: POST.*\n.*Got login request.*\n.*Attempted to login as.*
            .*::ffff:<HOST> - 8448 - Received request: POST.*\n.*Got login request.*\n.*Failed password login.*

What Matrix send to logs myUseR = user who try to log in, my.ip.add.res = IP:

2021-10-03 01:12:02,895 - synapse.rest.client.login - 264 - INFO - POST-192 - Got login request with identifier: {'type': 'm.id.user', 'user': 'myUseR'}, medium: None, address: None, user: None
2021-10-03 01:12:03,084 - synapse.handlers.auth - 1314 - WARNING - POST-192 - Failed password login for user @myUseR:matrix.mydomain.com
2021-10-03 01:12:03,085 - synapse.http.server - 88 - INFO - POST-192 - <XForwardedForRequest at 0x14a1602767f0 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.1' site='8008'> SynapseError: 403 - Invalid password
2021-10-03 01:12:03,085 - synapse.access.http.8008 - 410 - INFO - POST-192 - my.ip.add.res - 8008 - {None} Processed request: 0.191sec/-0.000sec (0.188sec, 0.000sec) (0.000sec/0.000sec/1) 52B 403 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" [0 dbevts]
2021-10-03 01:12:03,199 - synapse.rest.client.login - 264 - INFO - POST-193 - Got login request with identifier: {'type': 'm.id.user', 'user': 'myUseR'}, medium: None, address: None, user: None
2021-10-03 01:12:03,390 - synapse.handlers.auth - 1314 - WARNING - POST-193 - Failed password login for user @myUseR:matrix.mydomain.com
2021-10-03 01:12:03,391 - synapse.http.server - 88 - INFO - POST-193 - <XForwardedForRequest at 0x14a160970710 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.1' site='8008'> SynapseError: 403 - Invalid password
2021-10-03 01:12:03,391 - synapse.access.http.8008 - 410 - INFO - POST-193 - my.ip.add.res - 8008 - {None} Processed request: 0.192sec/-0.000sec (0.190sec, 0.000sec) (0.000sec/0.000sec/1) 52B 403 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" [0 dbevts]
2021-10-03 01:12:03,521 - synapse.rest.client.login - 264 - INFO - POST-194 - Got login request with identifier: {'type': 'm.id.user', 'user': 'myUseR'}, medium: None, address: None, user: None
2021-10-03 01:12:03,551 - synapse.metrics - 598 - INFO - sentinel - Collecting gc 1
2021-10-03 01:12:03,714 - synapse.handlers.auth - 1314 - WARNING - POST-194 - Failed password login for user @myUseR:matrix.mydomain.com
2021-10-03 01:12:03,715 - synapse.http.server - 88 - INFO - POST-194 - <XForwardedForRequest at 0x14a160a1c390 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.1' site='8008'> SynapseError: 403 - Invalid password
2021-10-03 01:12:03,715 - synapse.access.http.8008 - 410 - INFO - POST-194 - my.ip.add.res - 8008 - {None} Processed request: 0.195sec/-0.000sec (0.191sec, 0.001sec) (0.000sec/0.000sec/1) 52B 403 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" [0 dbevts]
2021-10-03 01:12:03,832 - synapse.rest.client.login - 264 - INFO - POST-195 - Got login request with identifier: {'type': 'm.id.user', 'user': 'myUseR'}, medium: None, address: None, user: None
2021-10-03 01:12:04,024 - synapse.handlers.auth - 1314 - WARNING - POST-195 - Failed password login for user @myUseR:matrix.mydomain.com
2021-10-03 01:12:04,025 - synapse.http.server - 88 - INFO - POST-195 - <XForwardedForRequest at 0x14a160aef358 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.1' site='8008'> SynapseError: 403 - Invalid password
2021-10-03 01:12:04,025 - synapse.access.http.8008 - 410 - INFO - POST-195 - my.ip.add.res - 8008 - {None} Processed request: 0.193sec/-0.000sec (0.190sec, 0.001sec) (0.000sec/0.000sec/1) 52B 403 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" [0 dbevts]
2021-10-03 01:12:04,184 - synapse.rest.client.login - 264 - INFO - POST-196 - Got login request with identifier: {'type': 'm.id.user', 'user': 'myUseR'}, medium: None, address: None, user: None
2021-10-03 01:12:04,374 - synapse.handlers.auth - 1314 - WARNING - POST-196 - Failed password login for user @myUseR:matrix.mydomain.com
2021-10-03 01:12:04,375 - synapse.http.server - 88 - INFO - POST-196 - <XForwardedForRequest at 0x14a160279550 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.1' site='8008'> SynapseError: 403 - Invalid password
2021-10-03 01:12:04,375 - synapse.access.http.8008 - 410 - INFO - POST-196 - my.ip.add.res - 8008 - {None} Processed request: 0.192sec/-0.000sec (0.189sec, 0.000sec) (0.000sec/0.000sec/1) 52B 403 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" [0 dbevts]
2021-10-03 01:13:01,940 - synapse.rest.client.login - 264 - INFO - POST-198 - Got login request with identifier: {'type': 'm.id.user', 'user': 'myUseR'}, medium: None, address: None, user: None
2021-10-03 01:13:02,142 - synapse.handlers.auth - 1314 - WARNING - POST-198 - Failed password login for user @myUseR:matrix.mydomain.com
2021-10-03 01:13:02,143 - synapse.http.server - 88 - INFO - POST-198 - <XForwardedForRequest at 0x14a160a3c748 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.1' site='8008'> SynapseError: 403 - Invalid password
2021-10-03 01:13:02,143 - synapse.access.http.8008 - 410 - INFO - POST-198 - my.ip.add.res - 8008 - {None} Processed request: 0.203sec/-0.000sec (0.200sec, 0.000sec) (0.000sec/0.000sec/1) 52B 403 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" [0 dbevts]
2021-10-03 01:13:02,832 - synapse.rest.client.login - 264 - INFO - POST-199 - Got login request with identifier: {'type': 'm.id.user', 'user': 'myUseR'}, medium: None, address: None, user: None
2021-10-03 01:13:03,028 - synapse.handlers.auth - 1314 - WARNING - POST-199 - Failed password login for user @myUseR:matrix.mydomain.com
2021-10-03 01:13:03,029 - synapse.http.server - 88 - INFO - POST-199 - <XForwardedForRequest at 0x14a16027d780 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.1' site='8008'> SynapseError: 403 - Invalid password
2021-10-03 01:13:03,029 - synapse.access.http.8008 - 410 - INFO - POST-199 - my.ip.add.res - 8008 - {None} Processed request: 0.197sec/-0.000sec (0.194sec, 0.000sec) (0.000sec/0.000sec/1) 52B 403 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" [0 dbevts]

TIA!

[sebres]

The log-excerpt seems not to have the IP address or host name of evildoer, have it? What do you want to capture with the <HOST> tag?
If I'm wrong, please show me the line and the address in your log-excerpt.

[sebres]

Also since I see XForwardedForRequest in log, it looks like some proxying stuff to me, so you have probably to force the service to log X-Real-IP or X-Forwarded-For instead of IP of proxy server.
Also note #2258 (comment) for possible alternative options.

I don't know whether Matrix/Synapse allowing to do something it this direction.

[b0n3v]

The IP 192.168.1.1 in the log is the public IP of client 87.123.45.21 I just replace this in the log.

[sebres]

Well, then why you did call it my.ip.add.res?

I assume it can be processed in single line mode, because following line containing all info (codes 403 and probably 421 indicating that):

2021-10-20 09:41:48,730 - synapse.access.http.8008 - 421 - INFO - POST-1809 - 192.0.2.1 - 8008 - {None} Processed request: 0.002sec/0.001sec (0.001sec, 0.000sec) (0.000sec/0.000sec/1) 52B 403 ...

In this case this config would match:

failregex = ^\s*- synapse.access.http.\d+ - 421 - INFO - \S+ - <ADDR> - \d+ - \S+ Processed request:(\s+(?:\S+sec[/,\s]+\S+sec|\([^\)]*\)?)){1,3} \S+ 403\b

I have no idea whether it would not mistakenly match some legitimate request by some constellation, therefore here is more complex config for this in multiline mode, assuming part of message like POST-1809 is a common identifier of request (same for any messages from the same request/session):

failregex = ^\s*- synapse.handlers.auth - (?:1001|1317) - WARNING - <F-MLFID>\S+</F-MLFID> - (?:Attempted to login as|Failed password login for user) <F-USER>(?:\S+|.*?)</F-USER>(?: but they do not exist)?$
             ^<F-MLFFORGET><F-NOFAIL>\s*- synapse.access.http.\d+ - \S+ - INFO - <F-MLFID>\S+</F-MLFID> - <ADDR>\s+</F-NOFAIL></F-MLFFORGET>
#            ^<F-MLFFORGET><F-NOFAIL>\s*- synapse.access.http.\d+ - 421 - INFO - <F-MLFID>\S+</F-MLFID> - <ADDR> - \d+ - \S+ Processed request:(\s+(?:\S+sec[/,\s]+\S+sec|\([^\)]*\)?)){1,3} \S+ 403\b</F-NOFAIL></F-MLFFORGET>

PoC (test with fail2ban-regex) ...

# test config again log excerpt:
$ fail2ban-regex -v /tmp/log /tmp/log.conf
...
Results
=======

Failregex: 10 total
|-  #) [# of hits] regular expression
|   1) [5] ^\s*- synapse.handlers.auth - (?:1001|1317) - WARNING - <F-MLFID>\S+</F-MLFID> - (?:Attempted to login as|Failed password login for user) <F-USER>(?:\S+|.*?)</F-USER>(?: but they do not exist)?$
|      None  Wed Oct 20 09:41:48 2021
|      None  Wed Oct 20 09:41:50 2021
|      None  Wed Oct 20 09:41:54 2021
|      None  Wed Oct 20 09:41:56 2021
|      None  Wed Oct 20 09:41:57 2021
|   2) [5] ^<F-NOFAIL>\s*- synapse.access.http.\d+ - \S+ - INFO - <F-MLFID>\S+</F-MLFID> - <ADDR>\s+</F-NOFAIL>
|      192.168.1.1  Wed Oct 20 09:41:48 2021
|      192.168.1.1  Wed Oct 20 09:41:50 2021
|      192.168.1.1  Wed Oct 20 09:41:54 2021
|      192.168.1.1  Wed Oct 20 09:41:56 2021
|      192.168.1.1  Wed Oct 20 09:41:57 2021
`-
...
Lines: 20 lines, 0 ignored, 10 matched, 10 missed

# show found failures:
$ fail2ban-regex -o row /tmp/log /tmp/log.conf
['192.168.1.1', 1634715708.0,   {'user': u'@testusertest:matrix.domain.com', 'users': set([u'@testusertest:matrix.domain.com']), 'ip4': u'192.168.1.1', 'mlfid': u'POST-1809'}],
['192.168.1.1', 1634715710.0,   {'user': u'@testusertest:matrix.domain.com', 'users': set([u'@testusertest:matrix.domain.com']), 'ip4': u'192.168.1.1', 'mlfid': u'POST-1810'}],
['192.168.1.1', 1634715714.0,   {'user': u'@testusertest2:matrix.domain.com', 'users': set([u'@testusertest2:matrix.domain.com']), 'ip4': u'192.168.1.1', 'mlfid': u'POST-1812'}],
['192.168.1.1', 1634715716.0,   {'user': u'@testusertest2:matrix.domain.com', 'users': set([u'@testusertest2:matrix.domain.com']), 'ip4': u'192.168.1.1', 'mlfid': u'POST-1813'}],
['192.168.1.1', 1634715717.0,   {'user': u'@testusertest2:matrix.domain.com', 'users': set([u'@testusertest2:matrix.domain.com']), 'ip4': u'192.168.1.1', 'mlfid': u'POST-1814'}],

This would work with fail2ban v.0.10 and higher (v.0.9 expecting different handling with multi-line window, maxlines and <SKIPLINES>).
Please provide your fail2ban version next time.
For the first (single-line) variant of regex it is enough to change <ADDR> with <HOST> to be v.0.9 compatible.

[b0n3v]

@sebres , Thank you! I use SWAG up-to-date container with fail2ban integrated, and i tried this:

failregex = ^\s*- synapse.handlers.auth - (?:1001|1317) - WARNING - <F-MLFID>\S+</F-MLFID> - (?:Attempted to login as|Failed password login for user) <F-USER>(?:\S+|.*?)</F-USER>(?: but they do not exist)?$
             ^<F-MLFFORGET><F-NOFAIL>\s*- synapse.access.http.\d+ - \S+ - INFO - <F-MLFID>\S+</F-MLFID> - <ADDR>\s+</F-NOFAIL></F-MLFFORGET>
#            ^<F-MLFFORGET><F-NOFAIL>\s*- synapse.access.http.\d+ - 421 - INFO - <F-MLFID>\S+</F-MLFID> - <ADDR> - \d+ - \S+ Processed request:(\s+(?:\S+sec[/,\s]+\S+sec|\([^\)]*\)?)){1,3} \S+ 403\b</F-NOFAIL></F-MLFFORGET>

And work very well with existing account + wrong password and non existing account, fail2ban ban the ip and work as expected!!! Did need to uncomment last line of the regex?
At this point my question is solved.

[sebres]

Did need to uncomment last line of the regex?

No. Both lines with <F-NOFAIL> are helpers to get IP address for the session with failure (without IP) matching by the first RE, just commented line follows more precise rules (so probably can miss some IP address if something like http-code or error code would deviate), and since we need the IP only, it is not necessary to be as exact as possible.
Commented RE is just for reference to compare with first (single-line) variant of filter.

Also note #3131 (comment) (it is journal, and log-format is a bit different, but it is the same constellation), especially the last sentence of it.