How can i modify failregex to log failed authentication attempts for mongodb-auth.conf mongodb 4.4, fail2ban and ufw

[armandfishti]

Hi,

I have setup MongoDB v4.4 on Debian 10 and installed fail2ban to block failed attempts to mongodb using ufw

i have a working rule that blocks failed attempts to port 10000 of virtualmin

my question is: how can i modify the failregex block of /etc/fail2ban/filter.d/mongodb-auth.conf so the ip's are blocked where they make failed attempts as current regex ist blocking ips i think because of different logging format from mongo 4.4

[Definition]
#failregex = ^\s+\[initandlisten\] connection accepted from <HOST>:\d+ \#(?P<__connid>\d+) \(1 connection now open\)<SKIPLINES>\s+\[conn(?P=__connid)\] Failed to authenticate\s+
failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+<SKIPLINES>\s+\[conn(?P=__connid)\] end connection <HOST>

any suggestion would be appreciated

log format:

{"t":{"$date":"2021-06-22T15:21:57.041+02:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"x.x.x.x:60897","connectionId":255,"connectionCount":13}}
{"t":{"$date":"2021-06-22T15:21:57.043+02:00"},"s":"I",  "c":"NETWORK",  "id":51800,   "ctx":"conn255","msg":"client metadata","attr":{"remote":"x.x.x.x:60897","client":"conn255","doc":{"driver":{"name":"nodejs","version":"3.6.3"},"os":{"type":"Windows_NT","name":"win32","architecture":"x64","version":"10.0.14393"},"platform":"'Node.js v12.8.1, LE (legacy)","application":{"name":"NoSQLBoosterV6.2.15_141345.55"}}}}
{"t":{"$date":"2021-06-22T15:21:57.045+02:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn255","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-256","speculative":true,"principalName":"mongoadmin","authenticationDatabase":"admin","remote":"x.x.x.x:60897","extraInfo":{},"error":"AuthenticationFailed: SCRAM authentication failed, storedKey mismatch"}}
{"t":{"$date":"2021-06-22T15:21:57.048+02:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn255","msg":"Connection ended","attr":{"remote":"x.x.x.x:60897","connectionId":255,"connectionCount":12}}

[sebres]

See #2932 (comment)

Just I guess in your case a change would be still necessary, e. g. either replace client with remote or try this one:

[Definition]

datepattern = ^\{"t":\{"\$date":"%%Y-%%m-%%dT%%H:%%M:%%S\.%%f%%z"}\s*,\s*
_groupre = (?:"(?!(?:msg|attr|client)\b)\w+":(?:"[^"]+"|\w+)\s*[,\}]\s*)
failregex = ^%(_groupre)s*"msg":"Authentication failed"\s*,\s*%(_groupre)s*"attr"\s*:\s*\{%(_groupre)s*"(?:client|remote)":"<ADDR>:\d+"

[armandfishti]

Thank you @sebres for you quick, correct and fully working answer

Much appreciated!