#77 failregex

[selena]

Hi fail2ban team!
I need help with failregex for django log!
My log line is for example:

2021-02-10 16:50:31,096 WARNING AXES: New login failure by {username: "xxx", ip_address: "5.169.172.125", user_agent: "Mozilla/5.0 (Linux; Android 10; M2007J20CG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36", path_info: "/amministrazione/login/"}. Creating new record in the database.

2021-02-10 16:51:01,426 WARNING AXES: Repeated login failure by {username: "xxx", ip_address: "5.169.172.125", user_agent: "Mozilla/5.0 (Linux; Android 10; M2007J20CG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36", path_info: "/amministrazione/login/"}. Count = 1 of 10. Updating existing record in the database.

Thanks!

[selena]

failregex = ^. login failure . ip_address: "<host>"</host>

[Serg G. Brester]

In case the tags in info structure (JSON5?) are always given in this order (and there are no other tags in-between) you can use this one:

failregex = ^\s*WARNING AXES: (?:New|Repeated) login failure by \{username: "<F-USER>[^"]+</F-USER>", ip_address: "<ADDR>"

Otherwise you could use something like that:

failregex = ^\s*WARNING AXES: (?:New|Repeated) login failure by \{(?:(?:username: "<F-USER>[^"]+</F-USER>"|ip_address: "<ADDR>"|\S+: (?:"[^"]*"|[^\s,]+))(?:,\s*|\}))+

If AXES is some dynamic data (may deviate depending on context) replace it either with \w+ or with \S+.
In case you have some old fail2ban version (<= 0.9), remove both tags <F-USER> and replace <ADDR> with <HOST>.

[selena]

Thanks!

[selena]

IT ALSO WORKS:

failregex = ^.*login failure.*ip_address: "<HOST>"

it is OK?
Thanks!

[Serg G. Brester]

it is OK?

No! This regex is vulnerable, since due to 2 catch-all's and unanchored matter can match the IP everywhere (e. g. in foreign input too). So it has several issues starting with performance and ending with certain vector for an injection on forign input.
And ^.* is not an anchor at all (it can be removed and would change nothing), because this 2 regex are quasi equivalent:

- ^.*something
+ something

[selena]

last help:

89.248.168.108 - - [10/Feb/2021:08:50:21 +0100] "HEAD / HTTP/1.0" 301 0 "-" "-"
177.152.152.37 - - [10/Feb/2021:10:56:58 +0100] "GET / HTTP/1.1" 404 580 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
185.239.242.198 - - [10/Feb/2021:11:41:09 +0100] "GET / HTTP/1.0" 404 152 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
89.248.168.108 - - [10/Feb/2021:11:41:24 +0100] "" 400 0 "-" "-"

then also this regex is vulnerable?

failregex = ^<HOST>.* 301.*$
            ^<HOST>.* 400.*$
            ^<HOST>.* 404.*$

sorry ... I'm not familiar with the regex

[Serg G. Brester]

Fewer than that from django (since the host takes place before any foreign input), but yes, it is.
Because 301/400/404 could be theoretically everywhere in string (part of URI, agent etc), so a false positive for legitimate requests would be possible. To avoid that it must have no catch-all before response code, for instance like this:

failregex = ^<ADDR> \S+ \S+(?: \[\])? "[^"]*" (?:301|40[04])\b

And you don't need 3 RE's here (just enclose deviating parts into (?: ... ), separated by |).

[selena]

Thanks so much.
I didn't want to study the regex in depth.
Good life.