ownCloud 7 - Fail2ban sperrt nichts

[jochen35]

Hallo,

für ownCloud habe ich folgende Fail2ban-Konfiguration erstellt.

Code: Alles auswählen

[Definition]
failregex = {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}

Code: Alles auswählen

[owncloud-login]
enabled   = true
port      = http,https
filter    = owncloud-login
logpath   = /srv/www/owncloud/data/owncloud.log
maxretry  = 3

und in der config.php von ownCloud habe ich die Zeitzone für die Logfile-Einträge festgelegt.

Code: Alles auswählen

'logtimezone' => 'Europe/Berlin',

Fail2ban-regex liefert 7 Matches, aber Fail2ban sperrt die IP einfach nicht.

Code: Alles auswählen

root@srv:~# fail2ban-regex /srv/www/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud-login.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/owncloud-login.conf
Use log file   : /srv/www/owncloud/data/owncloud.log


Results
=======

Failregex
|- Regular expressions:
|  [1] {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}
|
`- Number of matches:
   [1] 7 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    x.x.x.x (Fri Oct 24 23:12:08 2014)
    x.x.x.x (Fri Oct 24 23:12:13 2014)
    x.x.x.x (Fri Oct 24 23:12:18 2014)
    x.x.x.x (Fri Oct 24 23:12:22 2014)
    x.x.x.x (Fri Oct 24 23:12:26 2014)
    x.x.x.x (Fri Oct 24 23:12:32 2014)
    x.x.x.x (Fri Oct 24 23:12:37 2014)

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
14 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 7

However, look at the above section 'Running tests' which could contain important
information.

Hier das Log von ownCloud

Code: Alles auswählen

root@srv:~# cat /srv/www/owncloud/data/owncloud.log
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:08+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:13+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:18+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:22+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:26+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:32+02:00"}
{"app":"core","message":"Login failed: 'max' (Remote IP: 'x.x.x.x', X-Forwarded-For: '')","level":2,"time":"2014-10-24T22:12:37+02:00"}

Was habe ich übersehen bzw. warum reagiert Fail2ban nicht?

Gruß
Jochen

[DebianAnonymouse]

Versuch es mal mit folgender Definition:

Code: Alles auswählen

[Definition]
failregex={"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>","level":2,"time":".*"}
          {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}