samwiseetc/fail2ban/filter.d/traefik-auth.conf

# Fail2ban filter configuration for traefik :: auth
# used to ban hosts, that were failed through traefik
#
# Author: CrazyMax
#
# To use 'traefik-auth' filter you have to configure your Traefik instance to write
# the access logs as describe in https://docs.traefik.io/configuration/logs/#access-logs
# into a log file on host and specifiy users for Basic Authentication
# https://docs.traefik.io/configuration/entrypoints/#basic-authentication
#
# Example:
#
# version: "3.2"
#
# services:
#   traefik:
#     image: traefik:latest
#     command:
#       - "--loglevel=INFO"
#       - "--accesslog=true"
#       - "--accessLog.filePath=/var/log/access.log"
# #       - "--accessLog.filters.statusCodes=400-499"
#       - "--defaultentrypoints=http,https"
#       - "--entryPoints=Name:http Address::80"
#       - "--entryPoints=Name:https Address::443 TLS"
#       - "--docker.domain=example.com"
#       - "--docker.watch=true"
#       - "--docker.exposedbydefault=false"
#       - "--api=true"
#       - "--api.dashboard=true"
#     ports:
#       - target: 80
#         published: 80
#         protocol: tcp
#         mode: host
#       - target: 443
#         published: 443
#         protocol: tcp
#         mode: host
#     labels:
#       - "traefik.enable=true"
#       - "traefik.port=8080"
#       - "traefik.backend=traefik"
#       - "traefik.frontend.rule=Host:traefik.example.com"
#       - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
#     volumes:
#       - "/var/log/traefik:/var/log"
#       - "/var/run/docker.sock:/var/run/docker.sock"
#     restart: always
#

[Definition]

# Parameter "method" can be used to specifiy request method
req-method = \S+
# Usage example (for jail.local):
#   filter = traefik-auth[req-method="GET|POST|HEAD"]

failregex = ^<HOST> \- <usrre-<mode>> \[\] \"(?:<req-method>) [^\"]+\" 401\b

ignoreregex =

# Parameter "mode": normal (default), ddos or aggressive
# Usage example (for jail.local):
#   [traefik-auth]
#   mode = aggressive
#   # or another jail (rewrite filter parameters of jail):
#   [traefik-auth-ddos]
#   filter = traefik-auth[mode=ddos]
#
mode = normal

# part of failregex matches user name (must be available in normal mode, must be empty in ddos mode, and both for aggressive mode):
usrre-normal = (?!- )<F-USER>\S+</F-USER>
usrre-ddos = -
usrre-aggressive = <F-USER>\S+</F-USER>
Initial recommit 2 years ago			`# Fail2ban filter configuration for traefik :: auth`
			`# used to ban hosts, that were failed through traefik`
			`#`
			`# Author: CrazyMax`
			`#`
			`# To use 'traefik-auth' filter you have to configure your Traefik instance to write`
			`# the access logs as describe in https://docs.traefik.io/configuration/logs/#access-logs`
			`# into a log file on host and specifiy users for Basic Authentication`
			`# https://docs.traefik.io/configuration/entrypoints/#basic-authentication`
			`#`
			`# Example:`
			`#`
			`# version: "3.2"`
			`#`
			`# services:`
			`# traefik:`
			`# image: traefik:latest`
			`# command:`
			`# - "--loglevel=INFO"`
			`# - "--accesslog=true"`
			`# - "--accessLog.filePath=/var/log/access.log"`
			`# # - "--accessLog.filters.statusCodes=400-499"`
			`# - "--defaultentrypoints=http,https"`
			`# - "--entryPoints=Name:http Address::80"`
			`# - "--entryPoints=Name:https Address::443 TLS"`
			`# - "--docker.domain=example.com"`
			`# - "--docker.watch=true"`
			`# - "--docker.exposedbydefault=false"`
			`# - "--api=true"`
			`# - "--api.dashboard=true"`
			`# ports:`
			`# - target: 80`
			`# published: 80`
			`# protocol: tcp`
			`# mode: host`
			`# - target: 443`
			`# published: 443`
			`# protocol: tcp`
			`# mode: host`
			`# labels:`
			`# - "traefik.enable=true"`
			`# - "traefik.port=8080"`
			`# - "traefik.backend=traefik"`
			`# - "traefik.frontend.rule=Host:traefik.example.com"`
			`# - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"`
			`# volumes:`
			`# - "/var/log/traefik:/var/log"`
			`# - "/var/run/docker.sock:/var/run/docker.sock"`
			`# restart: always`
			`#`

			`[Definition]`

			`# Parameter "method" can be used to specifiy request method`
			`req-method = \S+`
			`# Usage example (for jail.local):`
			`# filter = traefik-auth[req-method="GET\|POST\|HEAD"]`

			`failregex = ^<HOST> \- <usrre-<mode>> \[\] \"(?:<req-method>) [^\"]+\" 401\b`

			`ignoreregex =`

			`# Parameter "mode": normal (default), ddos or aggressive`
			`# Usage example (for jail.local):`
			`# [traefik-auth]`
			`# mode = aggressive`
			`# # or another jail (rewrite filter parameters of jail):`
			`# [traefik-auth-ddos]`
			`# filter = traefik-auth[mode=ddos]`
			`#`
			`mode = normal`

			`# part of failregex matches user name (must be available in normal mode, must be empty in ddos mode, and both for aggressive mode):`
			`usrre-normal = (?!- )<F-USER>\S+</F-USER>`
			`usrre-ddos = -`
			`usrre-aggressive = <F-USER>\S+</F-USER>`