Skip to content

Commit

Permalink
Filter and Defaults for Microsoft SQL Server
Browse files Browse the repository at this point in the history
  • Loading branch information
rolschewsky authored and sebres committed Apr 3, 2021
1 parent 5aa20c3 commit 9eaa232
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 0 deletions.
15 changes: 15 additions & 0 deletions config/filter.d/mssql-auth.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Fail2Ban filter for failed MSSQL Server authentication attempts

[Definition]

failregex = Logon\s+Login failed for user ('.*')(.*)\[CLIENT: <HOST>\]$


# DEV Notes:
# Tested with SQL Server 2019 on Ubuntu 18.04
#
# Example:
# 2020-02-24 14:48:55.12 Logon Login failed for user 'root'. Reason: Could not find a login matching the name provided. [CLIENT: 127.0.0.1]
#
# Author: Rüdiger Olschewsky
#
8 changes: 8 additions & 0 deletions config/jail.conf
Original file line number Diff line number Diff line change
Expand Up @@ -786,6 +786,14 @@ logpath = %(mysql_log)s
backend = %(mysql_backend)s


[mssql-auth]
# Default configuration for Microsoft SQL Server for Linux
# See the 'mssql-conf' manpage how to change logpath or port
logpath = /var/opt/mssql/log/errorlog
port = 1433
filter = mssql-auth


# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
[mongodb-auth]
# change port when running with "--shardsvr" or "--configsvr" runtime operation
Expand Down
3 changes: 3 additions & 0 deletions fail2ban/tests/files/logs/mssql-auth
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
2020-02-24 16:05:21.00 Logon Login failed for user 'Backend'. Reason: Could not find a login matching the name provided. [CLIENT: 212.96.131.253]
2020-02-24 16:30:25.88 Logon Login failed for user '===)jf02hüas9ä##22f'. Reason: Could not find a login matching the name provided. [CLIENT: 148.86.203.199]
2020-02-24 16:31:12.20 Logon Login failed for user ''. Reason: An attempt to login using SQL authentication failed. Server is configured for Integrated authentication only. [CLIENT: 105.254.136.171]

0 comments on commit 9eaa232

Please sign in to comment.