Fail2Ban not working

Troubleshooting
1

Hello all

i’ve made fail2ban rule to identify incorrect password at log file.
When i’m testing by command :
fail2ban /opt/mattermost/logs/mattermost.log /etc/fail2ban/filter.d/mattermost-logfail.conf
everything works perfect, but after apply it to jail.conf:

[mattermost]
enabled = true
filter = /etc/fail2ban/filter.d/mattermost-logfail.conf
logpath = /opt/mattermost/logs/mattermost.log
findtime = 300
bantime = 600

After it, systemctl restart fail2ban, fail2ban-client status mattermost to check does it catch something and failed. It doesn’t count anything, but at same time, when i use again my regex test, it recognize incorrect password.

What could be wrong??

2

@paulrothrock Is the support team familiar with this?

3

I solved my problem by myself :slight_smile:

Logs type cannot be set to JSON, that was cause of my problems.

After switch logs to text and restart server, correct regex are:
For incorrect password:

failregex = .\Login failed because of invalid password.“ip_addr”: “”.

For locked account:

failregex = .\Your account is locked because of too many failed password attempts. Please reset your password.“ip_addr”: “”.

2 Likes
4

@czarek Glad to hear you got it working! I’m sure a lot of other users could benefit from using Fail2Ban with Mattermost. Do you think you could write up some more detailed instructions? I’ll be happy to help get them into the Mattermost docs.

5

Below is instruction, how to set up f2b for mattermost. When i was writing it, i discovered, that it doesn’t protect, when someone is trying to log as none existing user :frowning: but, after a while, addittion regex was ready and it’s included to this tutorial :smiley:

Before we start with fail2ban, You have to switch off JSON log type, from System Console > Log settings.
It is important to regex work properly.

To use fail2ban with mattermost, we have to install it from terminal

sudo apt install fail2ban

After it, edit your /etc/fail2ban/jail.conf file:
set your IP to ignore list in place of xxx.xxx.xxx.xxx to avoid ban yourself :slight_smile:

ignoreip = 127.0.0.1/8,xxx.xxx.xxx.xxx

At the end of file, add code:

[mattermost]
enabled = true
filter = mattermost-logfail
logpath = /opt/mattermost/logs/mattermost.log
findtime = 300
bantime = 600
maxretry = 5

[mattermost-passlockout]
enabled = true
filter = mattermost-passlockout
logpath = /opt/mattermost/logs/mattermost.log
findtime = 300
bantime = 600
maxretry = 5

You could change values above, to correct for your case. Meaning of all parameters, You could find in jail.conf comments :slight_smile:

The code above is enabling two filters:
The first [mattermost] is cheking log file, for incorrect password for existing users (after 5 tries, mattermost is locking account, but imho ban is better :smiley:) and for trying to log non existing (brute force? ), which is not normally protected via mattermost.
The second one [mattermost-passlockout] is to prevent another tries at already locked account, in same brute force case or something else.

Now we have to create two filter files:

sudo nano /etc/fail2ban/filter.d/mattermost-logfail.conf

and paste code into it and save:

[Definition]

failregex = .\Login failed because of invalid password.“ip_addr”: “”.
.\This team may require an invite from the team owner to join.“ip_addr”: “”.

ignoreregex =

and the second one:

sudo nano /etc/fail2ban/filter.d/mattermost-passlockout.conf

with code:

[Definition]

failregex = .\Your account is locked because of too many failed password attempts. Please reset your password.“ip_addr”: “”.

ignoreregex =

Now just restart your fail2ban by systemctl restart fail2ban and check does all jails are up by fail2ban-client status
You should see something like:
image

To check number of fails, use command fail2ban-client status
image

To check is everything work properly, try to log with incorrect password, but remember to do it from different than ignoreip in jail.conf :slight_smile:

2 Likes
6

Hi there,

I am trying to setup fal2ban on my mattermost deployment (using mattermost docker, team edition v6.3).
However, I do not see any logs on user log-in attempts.

I have log level set to DEBUG ( for console) and INFO for log-file, both work, but do not write access info. Are access info only available on specific versions of mattermost or I am missing some particular configs?

Resurrecting this old thread as I hope some here will have the answer.
Thanks in advance!

7

I’m having the same trouble. It seems that Mattermost doesn’t log the authentication failure any more. I checked both the Mattermost logs and the system logs but didn’t find anything. Did you ever find out where they log this information?

8

Hi ChenSun,

failed logins are being logged to the console and/or logfiles (depending on your settings in config.json) if the loglevel is set to DEBUG.
Here’s an example for one of my demo installations:

{"timestamp":"2022-10-21 10:51:22.596 +02:00","level":"debug","msg":"Enter a valid email or username and/or password.","caller":"web/context.go:113","path":"/api/v4/users/login","request_id":"hu8xfo7jetgi8b16ii9i16sdme","ip_addr":"127.0.0.1","user_id":"","method":"POST","err_where":"login","http_code":401,"error":"login: Enter a valid email or username and/or password."}

Mattermost is behind a reverse proxy here, which is why you can only see the IP 127.0.0.1 in the logline which will not help you when using fail2ban, so you would need to see the real client IP in the logs in order to be able to block bruteforce clients.

9

For reverse proxy like nginx, change in the config.json to “TrustedProxyIPHeader”: [“X-Forwarded-For”, “X-Real-Ip”],