From 7663a68a2be7fa33bddac62da1a6a791376c29ee Mon Sep 17 00:00:00 2001 From: Ohelig Date: Thu, 22 Dec 2022 14:39:41 -0600 Subject: [PATCH] docs: add password regulation fail2ban docs (#4630) Adds lines to fail2ban regex to catch password reset attempts and email spam. --- docs/content/en/overview/security/measures.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/content/en/overview/security/measures.md b/docs/content/en/overview/security/measures.md index 5c7067b8a..d94b5c7fe 100644 --- a/docs/content/en/overview/security/measures.md +++ b/docs/content/en/overview/security/measures.md @@ -346,14 +346,17 @@ typically located at `/etc/fail2ban/filter.d`. # the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt # second line) as a failure. -# the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors +# the ignoreregex rule ignores info and warning messages as all authentication failures are flagged as errors +# the third line catches incorrect usernames entered at the password reset form +# the fourth line catches attempts to spam via the password reset form or 2fa device reset form. This requires debug logging to be enabled [Definition] failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?"? stack.* ^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?"? stack.* + ^.*user not found.*path=/api/reset-password/identity/start remote_ip="?"? stack.* + ^.*Sending an email to user.*path=/api/.*/start remote_ip="?"? -ignoreregex = ^.*level=debug.* - ^.*level=info.* +ignoreregex = ^.*level=info.* ^.*level=warning.* ```