#739945 fail2ban not working with htdigest apache auth

#739945#5
Date:
2014-02-24 08:44:04 UTC
From:
To:
Dear Maintainer,

fail2ban fails to detect login attempts when using htdigest auth in apache,
so I have copied some regex lines out of apache-auth.conf from my FreeBSD 10.0 box, and now it works.

Cheers
Olaf

#739945#10
Date:
2014-07-04 12:22:51 UTC
From:
To:
In 0.8.6-3wheezy2 it looks like the regex for _apache_error_client in the apache-common.conf isn't working any more.

We had the same problem in another filter-file by including the apache-common.conf.



The following regex fixed the problem:

_apache_error_client = \[\] \[(:?error|\S+:\S+)\] \[client <HOST>(:\d{1,5})?\]



Cheers,

Guido

#739945#15
Date:
2014-08-06 11:28:49 UTC
From:
To:
I face a similar issue on Wheezy, when using basic authentication, with
version 0.8.6-3wheezy3 : the authentication failures are not matched by
fail2ban regex in filter apache-auth.conf

It seems to come from the debian patch applied in
http://security.debian.org/debian-security/pool/updates/main/f/fail2ban/fail2ban_0.8.6-3wheezy3.diff.gz
:
-failregex = [[]client <HOST>[]] user .* authentication failure
-            [[]client <HOST>[]] user .* not found
-            [[]client <HOST>[]] user .* password mismatch
+failregex = ^%(_apache_error_client)s user .* (authentication
failure|not found|password mismatch)\s*$

The problem comes from the trailing \s. If I replace it with a dot, it
works :
failregex = ^%(_apache_error_client)s user .* (authentication
failure|not found|password mismatch).*$

Here is an example of a log line generated by my Apache config :
[Tue Jul 29 11:38:11 2014] [error] [client xxx.xxx.xxx.xxx] user XXXX
not found: /path/

The "not found" string is followed by a ":", which explains the regex
did not match.

I use the standard version of Apache that comes with wheezy :
2.2.22-13+deb7u3
And my log file is configured with :
CustomLog /var/log/apache2/error.log vhost_combined

#739945#20
Date:
2014-10-02 20:09:02 UTC
From:
To:
On Wed, 06 Aug 2014 13:28:49 +0200 Mossroy <mossroy@free.fr> wrote:
 > The problem comes from the trailing \s. If I replace it with a dot, it
 > works :
 > failregex = ^%(_apache_error_client)s user .* (authentication
 > failure|not found|password mismatch).*$
Same issue here.  Your remedy is what we came up with ourselves.

[Thu Oct 02 16:36:12 2014] [error] [client 10.x.x.x] user xxxx:
authentication failure for "/": Password Mismatch