Tiny Tiny RSS: Community

[SOLVED] Problem getting fail2ban to work on ttrss login

I’m having problems getting fail2ban to work on ttrss login. (Using Raspian, Apache2, php, presql, ttrss)
My /etc/fail2ban/jail.local:

[tt-rss]
enabled = true
port = http,https
filter = tt-rss
logpath = /var/log/syslog
findtime = 900
bantime = 600
maxretry = 3
banaction = iptables_allport

What do I do?

Make sure you set the log destination in TT-RSS’s config.php file.

That did not solve the problem of the jail not working

You’re new here so I’ll let you know how things work: You’re going to have to put a bit of effort in if you expect people to help you. Please don’t just so up with statements like:

Actually provide some information. Is TT-RSS logging failed attempts, what version of software are you using, is the fail2ban chain actually showing up in iptables, etc. How do you expect someone to provide assistance if you’re not providing any information?

Anyway, check out this post from the old forum and see if it helps:

https://tt-rss.org/oldforum/viewtopic.php?f=8&t=2817&p=18518&hilit=fail2ban#p18518

Sorry, perhabs I should have informed that I am a Linux noob.
Also that I did search in the forum and followed the link you mentioned exactly.

The software versions I use are:
Raspbian Stretch Lite 4.14
Apache 2.24.5-3
PHP 1:7.0+49
Postpresql 9.6.13-0
All installed are fully updated.

I am using UFW at the moment since I haven’t studied iptables enough yet to understand them. My settings are:
Allow port 22 in locally
Allow port 80 in
Allow port 443 in
Generally allowing out and deny in.

I do have a working TTRSS.
Is more information needed?

I believe UFW is just a front end for iptables so shouldnt matter

you can test if the filter itself is working with:

sudo fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/tt-rss.conf

(if your filter is named tt-rss.conf that is, might want to browse filter dir /etc/fail2ban/filter.d/)

So if your log destination in ttrss config.php is set to syslog and the filter is properly configured to

catch the fail string format in syslog you should get hits if you test login with false username

beforehand. Note filter is not jail and need to be configured separately.

I tried running the command an I get an error:
configparser. Parsingerror: Source contains parsing errors: ‘/etc/fail2ban/filter.d/tt-rss.conf’
[Line 3] ‘Failed login attempt for .* from \n’

So whats wrong with that line?

I think maybe your filter isnt configured properly. Try this thread maybe https://tt-rss.org/oldforum/viewtopic.php?t=2817 end of thread

Edit: i just saw you already tested that ,then im out of options im afraid. I still think its something with your filter though

Looks like an incorrect fail2ban config. Can you post the file contents of you tt-rss.conf?

Here’s mine. It’s simple. It works.

/etc/fail2ban/jail.local:

[ttrss]
enabled  = true
port     = http,https
filter   = ttrss
logpath  = /var/log/nginx/error.log
bantime  = 3600
findtime = 3600
maxretry = 3

/etc/fail2ban/filter.d/ttrss.conf:

[Definition]

failregex = Failed login attempt.*? from <HOST>

ignoreregex =

tt-rss/config.php:

	define('LOG_DESTINATION', '');

The .*? part does not make any sense. A question mark states that the previous character or group is optional.

Try something like this:
failregex = ^.* Failed login attempt for .* from <HOST>$

it’s a not greedy match

I finally got it working with this:

/etc/fail2ban/jail.local:

[ttrss]
enabled = true
port = http,https
filter = ttrss
logpath = /var/log/syslog
bantime = 600
findtime = 600
maxretry = 3

/etc/fail2ban/filter.d/ttrss.conf:

[Definition]

failregex = ^.* Failed login attempt for .* from < HOST>$
ignoreregex =

/var/www/html/tt-rss/config.php:

define('LOG_DESTINATION', 'syslog');

THX for your help!