fail2ban use for gogs! #3197

YeFei572 · 2022-01-06T03:51:55Z

YeFei572
Jan 6, 2022

Hello!
As the Gogs doesn't have a log for ssh login, so I run the Gogs in docker, and the fail2ban config the logpath to the docker log, But it doesn't work, pls help me.

Here is the docker log:

{"log":"Jan  6 03:46:29 sshd[3259]: Invalid user WuZhihao from 179.43.188.158 port 33150\n","stream":"stdout","time":"2022-01-06T03:46:29.713720607Z"}
{"log":"Jan  6 03:46:31 sshd[3259]: Received disconnect from 179.43.188.158 port 33150:11: Normal Shutdown, Thank you for playing [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:31.472751885Z"}
{"log":"Jan  6 03:46:31 sshd[3259]: Disconnected from invalid user WuZhihao 179.43.188.158 port 33150 [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:31.47279208Z"}
{"log":"Jan  6 03:46:35 sshd[3261]: Invalid user ChenJiaxin from 179.43.188.158 port 58750\n","stream":"stdout","time":"2022-01-06T03:46:35.789877832Z"}
{"log":"Jan  6 03:46:36 sshd[3261]: Received disconnect from 179.43.188.158 port 58750:11: Normal Shutdown, Thank you for playing [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:36.927051802Z"}
{"log":"Jan  6 03:46:36 sshd[3261]: Disconnected from invalid user ChenJiaxin 179.43.188.158 port 58750 [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:36.92709338Z"}
{"log":"Jan  6 03:46:40 sshd[3263]: Invalid user WangWeikun from 179.43.188.158 port 56124\n","stream":"stdout","time":"2022-01-06T03:46:40.319239499Z"}
{"log":"Jan  6 03:46:40 sshd[3263]: Received disconnect from 179.43.188.158 port 56124:11: Normal Shutdown, Thank you for playing [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:40.596560004Z"}
{"log":"Jan  6 03:46:40 sshd[3263]: Disconnected from invalid user WangWeikun 179.43.188.158 port 56124 [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:40.596581765Z"}
{"log":"Jan  6 03:46:44 sshd[3265]: Invalid user Changsong from 179.43.188.158 port 53494\n","stream":"stdout","time":"2022-01-06T03:46:44.724240278Z"}
{"log":"Jan  6 03:46:44 sshd[3265]: Received disconnect from 179.43.188.158 port 53494:11: Normal Shutdown, Thank you for playing [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:44.994865471Z"}
{"log":"Jan  6 03:46:44 sshd[3265]: Disconnected from invalid user Changsong 179.43.188.158 port 53494 [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:44.994904984Z"}
{"log":"Jan  6 03:46:49 sshd[3267]: Invalid user SunQingyan from 179.43.188.158 port 50862\n","stream":"stdout","time":"2022-01-06T03:46:49.751696213Z"}
{"log":"Jan  6 03:46:50 sshd[3267]: Received disconnect from 179.43.188.158 port 50862:11: Normal Shutdown, Thank you for playing [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:50.023994999Z"}
{"log":"Jan  6 03:46:50 sshd[3267]: Disconnected from invalid user SunQingyan 179.43.188.158 port 50862 [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:50.024017481Z"}
{"log":"Jan  6 03:46:54 sshd[3269]: Invalid user WangBeibei from 179.43.188.158 port 48234\n","stream":"stdout","time":"2022-01-06T03:46:54.790339302Z"}
{"log":"Jan  6 03:46:55 sshd[3269]: Received disconnect from 179.43.188.158 port 48234:11: Normal Shutdown, Thank you for playing [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:55.065159294Z"}
{"log":"Jan  6 03:46:55 sshd[3269]: Disconnected from invalid user WangBeibei 179.43.188.158 port 48234 [preauth]\n","stream":"stdout","time":"2022-01-06T03:46:55.065193668Z"}
{"log":"Jan  6 03:47:01 sshd[3271]: Invalid user HaoXiuzhao from 179.43.188.158 port 45602\n","stream":"stdout","time":"2022-01-06T03:47:01.438378117Z"}
{"log":"Jan  6 03:47:01 sshd[3271]: Received disconnect from 179.43.188.158 port 45602:11: Normal Shutdown, Thank you for playing [preauth]\n","stream":"stdout","time":"2022-01-06T03:47:01.71681027Z"}
{"log":"Jan  6 03:47:01 sshd[3271]: Disconnected from invalid user HaoXiuzhao 179.43.188.158 port 45602 [preauth]\n","stream":"stdout","time":"2022-01-06T03:47:01.716852129Z"}
{"log":"Jan  6 03:47:03 sshd[3273]: Invalid user GaoJianwei from 179.43.188.158 port 42974\n","stream":"stdout","time":"2022-01-06T03:47:03.237550471Z"}
{"log":"Jan  6 03:47:03 sshd[3273]: Received disconnect from 179.43.188.158 port 42974:11: Normal Shutdown, Thank you for playing [preauth]\n","stream":"stdout","time":"2022-01-06T03:47:03.86410879Z"}
{"log":"Jan  6 03:47:03 sshd[3273]: Disconnected from invalid user GaoJianwei 179.43.188.158 port 42974 [preauth]\n","stream":"stdout","time":"2022-01-06T03:47:03.864145658Z"}

Here is the filter:

[root@VM-20-17-centos log]# cat /etc/fail2ban/filter.d/gogs.conf
[Definition]

failregex = Invalid user <F-USER>\S*</F-USER> from <HOST>$
ignoreregex =

Here is the jail.local:

[gogs]
enabled = true
filter = gogs
action = iptables[name=GOGS, port=10022, protocol=tcp]
logpath = /var/lib/docker/containers/5a4b7a8c7b18d3e97161e668cbb3c2d89cf06fc8dec9ca39074ddf3bc3b9f8b8/5a4b7a8c7b18d3e97161e668cbb3c2d89cf06fc8dec9ca39074ddf3bc3b9f8b8-json.log
maxretry = 3
findtime = 45
bantime = 600000

I use fail2regex bash to test:

[root@VM-20-17-centos log]# fail2ban-regex /var/lib/docker/containers/5a4b7a8c7b18d3e97161e668cbb3c2d89cf06fc8dec9ca39074ddf3bc3b9f8b8/5a4b7a8c7b18d3e97161e668cbb3c2d89cf06fc8dec9ca39074ddf3bc3b9f8b8-json.log /etc/fail2ban/filter.d/gogs.conf

Running tests
=============

Use   failregex filter file : gogs, basedir: /etc/fail2ban
Use         log file : /var/lib/docker/containers/5a4b7a8c7b18d3e97161e668cbb3c2d89cf06fc8dec9ca39074ddf3bc3b9f8b8/5a4b7a8c7b18d3e97161e668cbb3c2d89cf06fc8dec9ca39074ddf3bc3b9f8b8-json.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [289682] (?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [67] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 289749 lines, 0 ignored, 0 matched, 289749 missed
[processed in 18.73 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 289749 lines
[root@VM-20-17-centos log]#

Answered by sebres

Jan 6, 2022

But it doesn't work
failregex = Invalid user <F-USER>\S*</F-USER> from <HOST>$

Your RE is anchored at end (due to $ token), so the address is being searched at end of the line, whereas in this message format (looks like a JSON) it is in the middle of string. You can remove the anchor and it will start to work, but better use something like this (that is anchored at start):

failregex = ^(?:\{"log":")?\s*sshd\[\d+\]: Invalid user <F-USER>\S*</F-USER> from <ADDR>

Another variant would be to reconfigure the container:

either to write sshd-logs to the file (which can be bound to host)
or to write them to hosts systemd journal (so you'd be able to monitor it with backend = systemd[journalfil…

View full answer

sebres · 2022-01-06T13:49:40Z

sebres
Jan 6, 2022
Maintainer

But it doesn't work
failregex = Invalid user <F-USER>\S*</F-USER> from <HOST>$

Your RE is anchored at end (due to $ token), so the address is being searched at end of the line, whereas in this message format (looks like a JSON) it is in the middle of string. You can remove the anchor and it will start to work, but better use something like this (that is anchored at start):

failregex = ^(?:\{"log":")?\s*sshd\[\d+\]: Invalid user <F-USER>\S*</F-USER> from <ADDR>

Another variant would be to reconfigure the container:

either to write sshd-logs to the file (which can be bound to host)
or to write them to hosts systemd journal (so you'd be able to monitor it with backend = systemd[journalfiles="..."], or using fail2ban-regex 'systemd-journal[journalfiles="..."]' ..., see 0.10/systemd journal path option (see gh-1408) #1523).

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fail2ban use for gogs! #3197

{{title}}

Replies: 1 comment

{{title}}

Select a reply

fail2ban use for gogs! #3197

YeFei572 Jan 6, 2022

Replies: 1 comment

sebres Jan 6, 2022 Maintainer

YeFei572
Jan 6, 2022

sebres
Jan 6, 2022
Maintainer