Are you sure it wasn’t working without the .* at the beginning? According to the fail2ban manual:
If the failregex is anchored with a leading ^, then the anchor refers to the start of the remainder of the line, after the timestamp and intervening whitespace.
Did you put a datepattern in your .conf file? I wonder if that makes a difference? Mine looks like this:
In any case, mine works without the leading .* and I think it’s generally a bad idea to have an unlimited match at the beginning of the failregex because it could potentially be abused with an injection-type attack.
Great, but would you be so kind and tell me how can I change this parameter in Grafana in docker?
I guess I have to add something in grafana.env?
Thank You!
The above syntax no longer works. The IP is listed on another line and isn’t being captured by fail2ban.
2023-09-28 07:39:33,017 fail2ban.filter [1]: WARNING [grafana_proxy] Please check a jail for a timing issue. Line with odd timestamp: logger=authn.service t=2023-09-28T08:39:32.757980995-06:00 level=warn msg=“Failed to authenticate request” client=auth.client.form error=“[password-auth.failed] failed to authenticate identity: [identity.not-found] no user fund: user not found”
Below is what I’m currently using, and I just confirmed that it’s still working (in Grafana 10.0). Grafana changed their log output format a while ago.
Yes I did. I even put my old configuration in and it would acknowledge it sees a failed login.
Also checked the grafana log and confirmed the failed login was being captured.
logger=authn.service t=2023-09-28T11:41:43.388752983-06:00 level=warn msg=“Failed to authenticate request” client=auth.client.form error=“[password-auth.failed] failed to authenticate identity: [identity.not-found] no user fund: user not found”
logger=context userId=0 orgId=0 uname= t=2023-09-28T11:41:43.389087901-06:00 level=info msg=“Bad request” error=“[password-auth.failed] failed to authenticate identity: [identity.not-found] no user fund: user not found” remote_addr=... traceID=
I can update later and see if I see the same thing, but in the mean time, based on the sample logs you sent, I think this should work for your failregex: msg="Bad request" (?:[^=]+=[^.+]+ )+remote_addr=<ADDR>