fail2ban-regex with docker logs

[chenghui-lee]

Hello everyone,

I am running an application (Komga) inside a docker container and it's producing the logs below:

{"log":"2022-02-20 00:00:00.387  INFO 1 --- [ntContainer#1-1] o.g.k.domain.service.FileSystemScanner   : Scanning folder: /ebook\n","stream":"stdout","time":"2022-02-19T16:00:00.388110941Z"}
{"log":"2022-02-20 00:00:00.388  INFO 1 --- [ntContainer#1-1] o.g.k.domain.service.FileSystemScanner   : Supported extensions: [cbz, zip, cbr, rar, pdf, epub]\n","stream":"stdout","time":"2022-02-19T16:00:00.388800465Z"}
{"log":"2022-02-20 00:00:00.389  INFO 1 --- [ntContainer#1-1] o.g.k.domain.service.FileSystemScanner   : Excluded patterns: [#recycle, @eaDir]\n","stream":"stdout","time":"2022-02-19T16:00:00.389453509Z"}
{"log":"2022-02-20 00:00:00.389  INFO 1 --- [ntContainer#1-1] o.g.k.domain.service.FileSystemScanner   : Force directory modified time: false\n","stream":"stdout","time":"2022-02-19T16:00:00.389936871Z"}
{"log":"2022-02-20 00:00:00.436  INFO 1 --- [ntContainer#1-1] o.g.k.domain.service.FileSystemScanner   : Scanned 4 series, 167 books, and 0 sidecars in 41.652590ms\n","stream":"stdout","time":"2022-02-19T16:00:00.440874433Z"}
{"log":"2022-02-20 00:00:00.523  INFO 1 --- [ntContainer#1-1] o.g.k.d.s.SeriesCollectionLifecycle      : Deleting empty collections\n","stream":"stdout","time":"2022-02-19T16:00:00.526467866Z"}
{"log":"2022-02-20 00:00:00.531  INFO 1 --- [ntContainer#1-1] o.g.k.domain.service.ReadListLifecycle   : Deleting empty read lists\n","stream":"stdout","time":"2022-02-19T16:00:00.531429934Z"}
{"log":"2022-02-20 00:00:00.532  INFO 1 --- [ntContainer#1-1] o.g.k.d.service.LibraryContentLifecycle  : Library updated in 146.567971ms\n","stream":"stdout","time":"2022-02-19T16:00:00.532714461Z"}
{"log":"2022-02-20 00:00:00.554  INFO 1 --- [ntContainer#1-1] o.g.komga.application.tasks.TaskHandler  : Task ScanLibrary(libraryId='07K2YEWAQSZNT', priority='4') executed in 175.861893ms\n","stream":"stdout","time":"2022-02-19T16:00:00.554683582Z"}
{"log":"2022-02-20 00:18:39.527  INFO 1 --- [io-11245-exec-3] o.g.k.i.security.LoginListener           : AuthenticationActivity(userId=07K2T4WNYW85J, email=test@test.com, ip=123.12.29.153, userAgent=Mozilla/5.0 (Linux; Android 10; Samsung) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.110 Mobile Safari/537.36, success=true, error=null, dateTime=2022-02-20T00:18:39.526346, source=Password)\n","stream":"stdout","time":"2022-02-19T16:18:39.529262209Z"}
{"log":"2022-02-20 00:18:41.496  INFO 1 --- [io-11245-exec-7] o.g.k.domain.service.SeriesLifecycle     : House keeping thumbnails for series: 07KECDF82QRAT\n","stream":"stdout","time":"2022-02-19T16:18:41.497055928Z"}
{"log":"2022-02-20 21:12:05.238  INFO 1 --- [io-11245-exec-7] o.g.k.i.security.LoginListener           : AuthenticationActivity(userId=null, email=ok@admin.cc, ip=123.12.29.153, userAgent=Mozilla/5.0 (Linux; Android 10; Samsung) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.110 Mobile Safari/537.36, success=false, error=Bad credentials, dateTime=2022-02-20T21:12:05.238753, source=Password)\n","stream":"stdout","time":"2022-02-20T13:12:05.239056519Z"}
{"log":"2022-02-20 21:15:14.142  INFO 1 --- [io-11245-exec-2] o.g.k.i.security.LoginListener           : AuthenticationActivity(userId=null, email=ok@admin.cc, ip=123.12.29.153, userAgent=Mozilla/5.0 (Linux; Android 10; Samsung) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.110 Mobile Safari/537.36, success=false, error=Bad credentials, dateTime=2022-02-20T21:15:14.142189, source=Password)\n","stream":"stdout","time":"2022-02-20T13:15:14.143021256Z"}

Within the log above, the failed authentication activities will contain the words "Bad Credentials":

{"log":"2022-02-20 21:12:05.238  INFO 1 --- [io-11245-exec-7] o.g.k.i.security.LoginListener           : AuthenticationActivity(userId=null, email=ok@admin.cc, ip=123.12.29.153, userAgent=Mozilla/5.0 (Linux; Android 10; Samsung) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.110 Mobile Safari/537.36, success=false, error=Bad credentials, dateTime=2022-02-20T21:12:05.238753, source=Password)\n","stream":"stdout","time":"2022-02-20T13:12:05.239056519Z"}
{"log":"2022-02-20 21:15:14.142  INFO 1 --- [io-11245-exec-2] o.g.k.i.security.LoginListener           : AuthenticationActivity(userId=null, email=ok@admin.cc, ip=123.12.29.153, userAgent=Mozilla/5.0 (Linux; Android 10; Samsung) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.110 Mobile Safari/537.36, success=false, error=Bad credentials, dateTime=2022-02-20T21:15:14.142189, source=Password)\n","stream":"stdout","time":"2022-02-20T13:15:14.143021256Z"}

I tried to use the following regex to match and ran it with fail2ban-regex

regex = ^.* ip=<HOST>,.*Bad credentials.*$

Running tests
=============

Use   failregex line : ^.* ip=<HOST>,.*Bad credentials.*$
Use      single line : {"log":"2022-02-19 21:52:58.090  INFO 1 --- [io-11...


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^.* ip=<HOST>,.*Bad credentials.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.02 sec]

But fail2ban wasn't able to block (or even detect) any ips after testing with a few failed login activities. I tried to test the entire log file using fail2ban-regex and it was able to match all of the failed login lines.

Am I missing out something in the regex?

Edit

Here are my configurations

filter file:

root@instance-20211110-1842:/etc/fail2ban/filter.d# cat komga-docker.conf
[Definition]

failreges = ^.* ip=<HOST>,.*Bad credentials.*$
ignoreregex =

jail.local file:

[komga-docker]

enabled = true
port = https
filter = komga-docker
backend = auto
logpath = /var/lib/docker/containers/5771f221d554c312f865680a8d9e47ad06a7f16809b6b43674e67c40fdf0c869/5771f221d554c312f865680a8d9e47ad06a7f16809b6b43674e67c40fdf0c869-json.log
bantime = 7d
maxretry = 2

[chenghui-lee]

Ok, I found the problem.

There was a typo in the filter file, failregex not failreges.