diff --git a/docs/security/measures.md b/docs/security/measures.md index 1866b188..2555f865 100644 --- a/docs/security/measures.md +++ b/docs/security/measures.md @@ -246,13 +246,13 @@ typically located at `/etc/fail2ban/filter.d`. # only contains a single IP address (the one from the end-user), and not the proxy chain # (it is misleading: usually, this is the purpose of this header). -# the failregex rule counts every failed login (wrong username or password) and failed TOTP entry as a failure +# the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt +# second line) as a failure. # the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors [Definition] -failregex = ^.*Error while checking password for.*remote_ip= stack.* - ^.*Credentials are wrong for user .*remote_ip= stack.* - ^.*Wrong passcode during TOTP validation.*remote_ip= stack.* +failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?"? stack.* + ^.*Unsuccessful (TOTP|DUO|U2F) authentication attempt by user .*remote_ip="?"? stack.* ignoreregex = ^.*level=debug.* ^.*level=info.*