From 6a1bbbf1013da4d0d03eb2b282f44f6b0ed8fad2 Mon Sep 17 00:00:00 2001 From: riceru <35490247+riceru@users.noreply.github.com> Date: Tue, 16 Jan 2018 12:39:55 +0000 Subject: [PATCH 1/5] Update lighttpd-auth.conf I have lighttpd 1.4.45 (Debian 9) and auth error log is different. Now printing mod_auth and not http_auth. I think that the change was in Lighttp 1.4.42 --- config/filter.d/lighttpd-auth.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/lighttpd-auth.conf b/config/filter.d/lighttpd-auth.conf index 3bd01f29..11f6d0bb 100644 --- a/config/filter.d/lighttpd-auth.conf +++ b/config/filter.d/lighttpd-auth.conf @@ -3,7 +3,7 @@ [Definition] -failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ +failregex = ^: \((http|mod)_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ ignoreregex = From 9a46590486f8f9fe4f14f785ddbdd448c2bb7a24 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Tue, 16 Jan 2018 14:20:51 +0100 Subject: [PATCH 2/5] extended test-cases to cover new log-format (http_auth -> mod_auth) --- fail2ban/tests/files/logs/lighttpd-auth | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fail2ban/tests/files/logs/lighttpd-auth b/fail2ban/tests/files/logs/lighttpd-auth index a373c652..184dba33 100644 --- a/fail2ban/tests/files/logs/lighttpd-auth +++ b/fail2ban/tests/files/logs/lighttpd-auth @@ -5,3 +5,5 @@ 2012-09-26 10:24:35: (http_auth.c.1136) digest: auth failed for xxx : wrong password, IP: 4.4.4.4 # failJSON: { "time": "2013-08-25T00:24:55", "match": true , "host": "4.4.4.4" } 2013-08-25 00:24:55: (http_auth.c.877) get_password failed, IP: 4.4.4.4 +# failJSON: { "time": "2018-01-16T14:10:32", "match": true , "host": "192.0.2.1", "desc": "http_auth -> mod_auth, gh-2018" } +2018-01-16 14:10:32: (mod_auth.c.525) password doesn't match for /test-url username: test, IP: 192.0.2.1 From b6c6565a7ed9229ab14070a9ed83d26655f7f9c0 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Tue, 16 Jan 2018 14:23:47 +0100 Subject: [PATCH 3/5] regex updated using non-capturing groups --- config/filter.d/lighttpd-auth.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/lighttpd-auth.conf b/config/filter.d/lighttpd-auth.conf index 11f6d0bb..a68f4f4d 100644 --- a/config/filter.d/lighttpd-auth.conf +++ b/config/filter.d/lighttpd-auth.conf @@ -3,7 +3,7 @@ [Definition] -failregex = ^: \((http|mod)_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ +failregex = ^: \((?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ ignoreregex = From fed6c49c2de2efd677788eeff0cae2e5aa4b9976 Mon Sep 17 00:00:00 2001 From: Benedikt Seidl Date: Thu, 11 Jan 2018 18:53:15 +0100 Subject: [PATCH 4/5] nginx-http-auth: match usernames with spaces # Conflicts: # ChangeLog --- ChangeLog | 1 + config/filter.d/nginx-http-auth.conf | 2 +- fail2ban/tests/files/logs/nginx-http-auth | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ec11539f..d19356cf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,7 @@ releases. input SMTP command (lower/mixed case auth command, prevent injection) (gh-1979) * filter.d/postfix-*.conf - added optional port regex (gh-1902) * filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632) +* filter.d/nginx-http-auth.conf - match usernames with spaces (gh-2015) ### New Features diff --git a/config/filter.d/nginx-http-auth.conf b/config/filter.d/nginx-http-auth.conf index a689f66a..511b5bf0 100644 --- a/config/filter.d/nginx-http-auth.conf +++ b/config/filter.d/nginx-http-auth.conf @@ -4,7 +4,7 @@ [Definition] -failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$ +failregex = ^ \[error\] \d+#\d+: \*\d+ user "[^"]+":? (password mismatch|was not found in ".*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/nginx-http-auth b/fail2ban/tests/files/logs/nginx-http-auth index 22c16057..e54edce8 100644 --- a/fail2ban/tests/files/logs/nginx-http-auth +++ b/fail2ban/tests/files/logs/nginx-http-auth @@ -7,4 +7,6 @@ 2014/04/01 22:20:38 [error] 30708#0: *3 user "scribendio": password mismatch, client: 10.0.2.2, server: , request: "GET / HTTP/1.1", host: "localhost:8443" # failJSON: { "time": "2014-04-02T12:37:58", "match": true, "host": "10.0.2.2" } 2014/04/02 12:37:58 [error] 6563#0: *1861 user "scribendio": password mismatch, client: 10.0.2.2, server: scribend.io, request: "GET /admin HTTP/1.1", host: "scribend.io", referrer: "https://scribend.io/admin" +# failJSON: { "time": "2014-04-01T22:20:38", "match": true, "host": "10.0.2.2" } +2014/04/01 22:20:38 [error] 30708#0: *3 user "scriben dio": password mismatch, client: 10.0.2.2, server: , request: "GET / HTTP/1.1", host: "localhost:8443" From 63e906b2c1a889f6ef0f0739c909b2ab58bbf95b Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 17 Jan 2018 16:31:43 +0100 Subject: [PATCH 5/5] regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name --- config/filter.d/nginx-http-auth.conf | 2 +- fail2ban/tests/files/logs/nginx-http-auth | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/filter.d/nginx-http-auth.conf b/config/filter.d/nginx-http-auth.conf index 511b5bf0..65a8dd1b 100644 --- a/config/filter.d/nginx-http-auth.conf +++ b/config/filter.d/nginx-http-auth.conf @@ -4,7 +4,7 @@ [Definition] -failregex = ^ \[error\] \d+#\d+: \*\d+ user "[^"]+":? (password mismatch|was not found in ".*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$ +failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/nginx-http-auth b/fail2ban/tests/files/logs/nginx-http-auth index e54edce8..c9c96807 100644 --- a/fail2ban/tests/files/logs/nginx-http-auth +++ b/fail2ban/tests/files/logs/nginx-http-auth @@ -7,6 +7,7 @@ 2014/04/01 22:20:38 [error] 30708#0: *3 user "scribendio": password mismatch, client: 10.0.2.2, server: , request: "GET / HTTP/1.1", host: "localhost:8443" # failJSON: { "time": "2014-04-02T12:37:58", "match": true, "host": "10.0.2.2" } 2014/04/02 12:37:58 [error] 6563#0: *1861 user "scribendio": password mismatch, client: 10.0.2.2, server: scribend.io, request: "GET /admin HTTP/1.1", host: "scribend.io", referrer: "https://scribend.io/admin" -# failJSON: { "time": "2014-04-01T22:20:38", "match": true, "host": "10.0.2.2" } -2014/04/01 22:20:38 [error] 30708#0: *3 user "scriben dio": password mismatch, client: 10.0.2.2, server: , request: "GET / HTTP/1.1", host: "localhost:8443" - +# failJSON: { "time": "2014-04-03T22:20:38", "match": true, "host": "192.0.2.1", "desc": "user name with space" } +2014/04/03 22:20:38 [error] 30708#0: *3 user "scriben dio": password mismatch, client: 192.0.2.1, server: , request: "GET / HTTP/1.1", host: "localhost:8443" +# failJSON: { "time": "2014-04-03T22:20:40", "match": true, "host": "192.0.2.2", "desc": "trying injection on user name"} +2014/04/03 22:20:40 [error] 30708#0: *3 user "test": password mismatch, client: 127.0.0.1, server: test, request: "GET / HTTP/1.1", host: "localhost:8443"": was not found in "/etc/nginx/.htpasswd", client: 192.0.2.2, server: , request: "GET / HTTP/1.1", host: "localhost:8443"