Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue of traefik-auth not catching all log lines #9

Open
ArthurMitchell42 opened this issue Nov 6, 2022 · 0 comments
Open

Issue of traefik-auth not catching all log lines #9

ArthurMitchell42 opened this issue Nov 6, 2022 · 0 comments

Comments

@ArthurMitchell42
Copy link

ArthurMitchell42 commented Nov 6, 2022
edited
Loading

linuxserver.io
Hi, monitoring the Traefik log I have an example of a successful ban and a missed ban. I suspect the regex in the filter.d traefik-auth file is not catching the lines. The example log file lines are:

188.95.55.5 - 11111 [05/Nov/2022:22:36:54 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 295 "whoami-1@file" "-" 0ms
188.95.55.5 - 222222 [05/Nov/2022:22:36:59 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 297 "whoami-1@file" "-" 0ms
188.95.55.5 - 33333 [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 298 "whoami-1@file" "-" 0ms
188.95.55.5 - - [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 299 "whoami-1@file" "-" 0ms
185.212.111.150 - - [05/Nov/2022:22:45:11 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 316 "webdav@file" "https://10.0.10.10/:5006" 15ms
185.212.111.150 - - [05/Nov/2022:22:45:28 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 317 "webdav@file" "https://10.0.10.10/:5006" 5510ms
185.212.111.150 - - [05/Nov/2022:22:45:42 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 318 "webdav@file" "https://10.0.10.10/:5006" 5291ms
185.212.111.150 - - [05/Nov/2022:22:45:53 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 320 "webdav@file" "https://10.0.10.10/:5006" 4070ms
185.212.111.150 - - [05/Nov/2022:22:45:57 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 321 "webdav@file" "https://10.0.10.10/:5006" 6ms

In the above example the IP address 188.95.55.5 is caught and banned but 185.212.111.150 is not caught.

Running in docker under Ubuntu 22.04

jail.local:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

destemail = [email protected]
sendername = Fail2ban
sender = [email protected]
mta = sendmail

bantime.increment = true
bantime.maxtime = 4w
bantime.factor = 24
bantime = 1h
findtime = 24h
maxretry = 3

action = %(action_mw)s

[traefik-auth]
enabled = true
chain = INPUT

Log file output

2022-11-05 22:36:54,404 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:54
2022-11-05 22:36:59,622 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:59
2022-11-05 22:37:04,235 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:37:04
2022-11-05 22:37:04,263 FFFF8130BB20 NOTIC [traefik-auth] Ban 188.95.55.5

N/A

Would it be possible to maybe upgate the regex to catch this test intrusion please?

Thanks, team linuxserver.io
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ArthurMitchell42