I have this problem with the current Nextcloud client that it is apparently trying to access the
directory. I first wrote about it on my Diaspora account
, and @🛫 Brad Koehn 🛬
found the matching Apache config file. The problem I'm having is that the client, by trying to access a directory to which access is explicitly forbidden by the web server configuration, keeps locking my own IP address out, because I have fail2ban running.
My current workaround is that I simply downgraded the Nextcloud client to 2.3.3, where this issue didn't exist. Now I found that it's possible to create "ignore" filters for fail2ban, and I'm wondering if that wouldn't be a better solution. The filters, though, are written as regular expressions, and that is not something I've had much time to look into yet, and I'm not sure if that's going to change any time soon
If I understand the filtering concept correctly, though, it should be possible to have fail2ban ignore certain errors, but I don't have the slightest idea what to make of it. Here's what the apache-auth filter file looks like (I'm going to paste a Diaspora style code section in a comment from my d* account):
# Fail2Ban apache-auth filter
# Read common prefixes. If any customizations available -- read them from
before = apache-common.conf
prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
# auth_type = ((?:Digest|Basic): )?
auth_type = ([A-Z]\w+: )?
failregex = ^client (?:denied by server configuration|used wrong authentication scheme)\b
^user <F-USER>(?:\S*|.*?)</F-USER> (?:auth(?:oriz|entic)ation failure|not found|denied by provider)\b
^Authorization of user <F-USER>(?:\S*|.*?)</F-USER> to access .*? failed\b
^%(auth_type)suser <F-USER>(?:\S*|.*?)</F-USER>: password mismatch\b
^%(auth_type)suser `<F-USER>(?:[^']*|.*?)</F-USER>' in realm `.+' (not found|denied by provider)\b
^%(auth_type)sinvalid nonce .* received - length is not\b
^%(auth_type)srealm mismatch - got `(?:[^']*|.*?)' but expected\b
^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b
^invalid qop `(?:[^']*|.*?)' received\b
^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b
# DEV Notes:
# This filter matches the authorization failures of Apache. It takes the log messages
# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
# An unauthorized response 401 is the first step for a browser to instigate authentication
# however apache doesn't log this as an error. Only subsequent errors are logged in the
# error log.
# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
# to return the actual failure.
# Note that URI can contain spaces.
# See also: http://wiki.apache.org/httpd/ListOfErrors
# Expressions that don't have tests and aren't common.
# more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284
# ^user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
# ^user .*: one-time-nonce mismatch - sending new nonce\s*$
# ^realm mismatch - got `(?:[^']*|.*?)' but no realm specified\s*$
# Because url/referer are foreign input, short form of regex used if long enough to idetify failure.
# Author: Cyril Jaquier
# Major edits by Daniel Black and Ben Rubson.
# Rewritten for v.0.10 by Sergey Brester (sebres).
I'm guessing that it should be possible to create a filter with
and put it into the
section, but I don't know how to write that regex. I've looked into the concept a while back, and didn't get very far; if somebody could help, it would be very much appreciated.