From f0119b5c754f46be7814dca04d73a7710a720689 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Thu, 2 Dec 2021 17:09:47 +1100 Subject: [PATCH] docs: update fail2ban example (#2661) Updates the fail2ban examples to align with new messages. Fixes #2649. --- docs/security/measures.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/security/measures.md b/docs/security/measures.md index 1866b188..2555f865 100644 --- a/docs/security/measures.md +++ b/docs/security/measures.md @@ -246,13 +246,13 @@ typically located at `/etc/fail2ban/filter.d`. # only contains a single IP address (the one from the end-user), and not the proxy chain # (it is misleading: usually, this is the purpose of this header). -# the failregex rule counts every failed login (wrong username or password) and failed TOTP entry as a failure +# the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt +# second line) as a failure. # the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors [Definition] -failregex = ^.*Error while checking password for.*remote_ip= stack.* - ^.*Credentials are wrong for user .*remote_ip= stack.* - ^.*Wrong passcode during TOTP validation.*remote_ip= stack.* +failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?"? stack.* + ^.*Unsuccessful (TOTP|DUO|U2F) authentication attempt by user .*remote_ip="?"? stack.* ignoreregex = ^.*level=debug.* ^.*level=info.*