I have fail2ban working perfectly with Seafile Pro blocking and preventing brute force attacks on my login page but can’t figure out where logs are stored to block brute force attempts from iOS client. Is there a login limit and/or log file which can be used to trigger a fail2ban IP block from the API?
I hacked a solution together which seems to work although I’m not sure its optimal. Would be open to feedback.
Created a local jail `/etc/fail2ban/jail.d/seafile.local with the following contents
[seafile-api]
enabled = true
port = http,https
filter = seafile-api-auth
logpath = /var/log/nginx/seahub.access.log
maxretry = 5
banaction = nginx-multiport
and created a /etc/fail2ban/filter.d/seafile-api-auth.conf filter which included the following code.
# Fail2Ban API filter for seafile
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = seaf-api-server
failregex = ^<HOST> -.*POST .*/api2/auth-token/.*
ignoreregex =
# DEV Notes:
#
# pattern :
#192.168.20.194 - - [16/Mar/2018:14:35:33 -0700] "POST /api2/auth-token/ HTTP/1.1" 400 78 "-" "SeafilePro/3 CFNetwork/894 Darwin/17.4.0"
#192.168.20.101 - - [16/Mar/2018:15:12:45 -0700] "POST /api2/auth-token/ HTTP/1.1" 400 78 "-" "Mozilla/5.0"
#192.168.20.101 - - [16/Mar/2018:15:12:52 -0700] "POST /api2/auth-token/ HTTP/1.1" 200 63 "-" "Mozilla/5.0"
1 Like