New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
filter.d/softethervpn: enable multi line support #3669
Conversation
Thank you very much for creating this pull req. :-) Personally I was shocked when I've realized that SoftEtherVPN has no counter to at least show how many failed attempts are happening in real time. (Not to mention to block those IPs) fail2ban will be the perfect tool to do this instead. |
|
||
[INCLUDES] | ||
before = common.conf | ||
|
||
[Definition] | ||
failregex = ^%(__prefix_line)s(?:(?:\([\d\-]+ [\d:.]+\) )?<SECURITY_LOG>: )?Connection "[^"]+": User authentication failed. The user name that has been provided was "<F-USER>(?:[^"]+|.+)</F-USER>", from <ADDR>\.$ | ||
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S.%%f | ||
failregex = IP address: <HOST>.*\n.*User authentication failed.* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This RE is very weak (no anchors, catch-alls, etc), thus vulnerable.
Also note there is a tag <SKIPLINES>
, used for skipping multiple lines (especially for maxlines > 2
).
New multiline filter (without [Definition]
failregex = ^\s*The <F-NOFAIL>connection</F-NOFAIL> "<F-MLFID>CID-\d+</F-MLFID>" \(IP address: <ADDR>,
^\s*Connection "<F-MLFID>CID-\d+</F-MLFID>": User authentication failed\. The user name that has been provided was "<F-USER>[^"]+</F-USER>" |
For the record: the pull request SoftEtherVPN#1122 provides the enhancement with |
Well, it's strange. Based on GitHub, the latest version of SoftEtherVPN is 5.02.5181. However, if we check on https://www.softether.org/, the latest version is 4.43. Probably, these two versions have different log formats. EDITED: The current logs are from Dev version. |
BTW, @sebres I have tested your solution, and it works perfectly as expected.
Maybe we need to split filter and log for Stable and Dev branches of SoftEtherVPN ? |
Why dev branches? As I already wrote this version is released May 2021, so it is stable. The problem with different versions (many distros and soft versions) is hardly solvable within stock fail2ban - we have neither the resources nor the time to support all the filters to follow every software change across all distributions. Therefore the decision at the moment is to support the log format of latest released version. Or optionally parametrized filter that allow to control format (if they are not too different). But one could simply use the filter I provided above or even write own filter/regex. |
@sebres Please take a look at the description of the repository on which you are referring to.
This repo is not Stable, but Dev. The stable repo is here. The released May 2021 is in Dev repo. I want to clarify that the current version of the filter and logs only covers the Dev repository, not the Stable one. Is this the intended behavior? Why does fail2ban support the Dev version but not the stable one? |
Hmm, never saw that before... 2 repos for the same thing... Well, I hope the issue is very clear and comprehensible - it is hardly possible to control any filter for every service across all platforms/distros. Also what is stable for example for debian, may be already obsolete for other platforms.
Because the author of filter (see #2723) is also the author of enhancement of the the enhancement (pull request SoftEtherVPN#1122)?
Seems like you missed another point I provided above - if new version of f2b gets released (in the distro you use), SoftEtherVPN gets probably updated, so is the effort really justified? One can try to contact the maintainers of fail2ban for your distro, possibly they would provide a patch for that. But I would not say "No", if someone would provide a PR for "old" stable version.
@benrubson some thoughts? |
I've got your point. I will open an Issue to discuss this problem in a wide audience. |
Let's continue our discussion here |
Best would have been for @dnobori to merge this in the so called Stable version... |
This is my first pull request. I'm sorry if I did it wrong. In short, the current configuration is not working because SoftEtherVPN devs changed the log format. I'm not sure from which version onwards.
The current log looks like the following: