Skip to content

Issue of traefik-auth not catching all log lines #9

New issue
New issue
Open
Open
Issue of traefik-auth not catching all log lines#9
@ArthurMitchell42

Description

@ArthurMitchell42
ArthurMitchell42
opened on Nov 6, 2022

linuxserver.io
Hi, monitoring the Traefik log I have an example of a successful ban and a missed ban. I suspect the regex in the filter.d traefik-auth file is not catching the lines. The example log file lines are:

188.95.55.5 - 11111 [05/Nov/2022:22:36:54 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 295 "whoami-1@file" "-" 0ms
188.95.55.5 - 222222 [05/Nov/2022:22:36:59 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 297 "whoami-1@file" "-" 0ms
188.95.55.5 - 33333 [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 298 "whoami-1@file" "-" 0ms
188.95.55.5 - - [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 299 "whoami-1@file" "-" 0ms
185.212.111.150 - - [05/Nov/2022:22:45:11 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 316 "webdav@file" "https://10.0.10.10/:5006" 15ms
185.212.111.150 - - [05/Nov/2022:22:45:28 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 317 "webdav@file" "https://10.0.10.10/:5006" 5510ms
185.212.111.150 - - [05/Nov/2022:22:45:42 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 318 "webdav@file" "https://10.0.10.10/:5006" 5291ms
185.212.111.150 - - [05/Nov/2022:22:45:53 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 320 "webdav@file" "https://10.0.10.10/:5006" 4070ms
185.212.111.150 - - [05/Nov/2022:22:45:57 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 321 "webdav@file" "https://10.0.10.10/:5006" 6ms

In the above example the IP address 188.95.55.5 is caught and banned but 185.212.111.150 is not caught.

Running in docker under Ubuntu 22.04

jail.local:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

destemail = [email protected]
sendername = Fail2ban
sender = [email protected]
mta = sendmail

bantime.increment = true
bantime.maxtime = 4w
bantime.factor = 24
bantime = 1h
findtime = 24h
maxretry = 3

action = %(action_mw)s

[traefik-auth]
enabled = true
chain = INPUT

Log file output

2022-11-05 22:36:54,404 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:54
2022-11-05 22:36:59,622 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:59
2022-11-05 22:37:04,235 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:37:04
2022-11-05 22:37:04,263 FFFF8130BB20 NOTIC [traefik-auth] Ban 188.95.55.5

N/A

Would it be possible to maybe upgate the regex to catch this test intrusion please?

Thanks, team linuxserver.io

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions