On 20.07.2017 12:16, mj wrote: > Hi all, > > If I may, one more question on this subject: > > I would like to create a fail2ban filer, that scans for these lines: > >> Jul 20 11:10:09 auth: Info: >> ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials >> (given password: password) >> Jul 20 11:10:19 auth: Info: >> ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): invalid credentials (given >> password: password) > > (as you can see, I have enabled auth_verbose_passwords to do this, > making me very uncomfortable...) > > Anyway: since there are only a few password variations, I would like > to block anyone using those passwords. > > (since the connections are over TLS/SSL, I cannot use iptables, as > suggested earlier) > > So I need a specific fail2ban rule that extracts the <IP> from that > line, and matches on "(given password: password)" > > Can anyone here help out with a failregex line that would match..?
You could use https://github.com/PowerDNS/weakforced here. It lets you execute arbitrary actions in addition to just outright blocking the users. Aki
