Failed Access Logging - Fail2Ban Filter Example #2001

New Issue

OVERLORD · 2026-02-05T02:26:20+03:00

OVERLORD commented

2026-02-05 02:26:20 +03:00

Originally created by @cyb3rl4d on GitHub (Jan 3, 2021).

Hi,

I've followed the guidance on Failed Access Logging and now a have failed login attempts being reported into the error log thank you! I'm having some significant issues though trying to get Fail2Ban to detect the failures. I think I may need to create a custom filter which I have no clue on how to do.

Therefore could I request some help or point me to some documentation to help with setting up the required regex/config to get it working. I would be very happy to ensure the BookStack docs are updated to help others.

Thanks in advance!

Please see below a snip from my error.log, if that helps
2021/01/02 19:56:38 [error] 390#390: *22 FastCGI sent in stderr: "PHP message: Failed login for email@domain.com" while reading response header from upstream, client: 80.70.60.50, server: _, reques> 2021/01/02 19:59:52 [error] 390#390: *25 FastCGI sent in stderr: "PHP message: Failed login for email@domain.com" while reading response header from upstream, client: 80.70.60.50, server: _, reques> 2021/01/02 21:26:32 [error] 390#390: *28 FastCGI sent in stderr: "PHP message: Failed login for email@domain.com" while reading response header from upstream, client: 80.70.60.50, server: _, reques>

Originally created by @cyb3rl4d on GitHub (Jan 3, 2021). Hi, I've followed the guidance on Failed Access Logging and now a have failed login attempts being reported into the error log thank you! I'm having some significant issues though trying to get Fail2Ban to detect the failures. I think I may need to create a custom filter which I have no clue on how to do. Therefore could I request some help or point me to some documentation to help with setting up the required regex/config to get it working. I would be very happy to ensure the BookStack docs are updated to help others. Thanks in advance! Please see below a snip from my error.log, if that helps `2021/01/02 19:56:38 [error] 390#390: *22 FastCGI sent in stderr: "PHP message: Failed login for email@domain.com" while reading response header from upstream, client: 80.70.60.50, server: _, reques> 2021/01/02 19:59:52 [error] 390#390: *25 FastCGI sent in stderr: "PHP message: Failed login for email@domain.com" while reading response header from upstream, client: 80.70.60.50, server: _, reques> 2021/01/02 21:26:32 [error] 390#390: *28 FastCGI sent in stderr: "PHP message: Failed login for email@domain.com" while reading response header from upstream, client: 80.70.60.50, server: _, reques>`

OVERLORD closed this issue

2026-02-05 02:26:24 +03:00

OVERLORD commented

2026-02-05 02:26:27 +03:00

@ssddanbrown commented on GitHub (Jan 3, 2021):

Hi @cyb3rl4d,

I'm not 100% sure what I'm doing with fail2ban, hence the limited guidance I've provided in the docs, but the following may work.
I modelled these steps on the fail2ban installation on my Ubuntu 20.10 desktop system.

Create a /etc/fail2ban/filter.d/bookstack.conf file with the following:

[Definition]
failregex = PHP message: Failed login from .*? client: <HOST>

Within your /etc/fail2ban/jail.local file (or similar) add bookstack as a service using the filter like so:

[bookstack]

enabled = true
port = http,https
logpath = %(nginx_error_log)s
filter = bookstack

If using apache, you'll need to change nginx for apache above.

Then restart fail2ban (systemctl restart fail2ban).
When you run fail2ban-client status you should then have a bookstack item in the output.
Then you can run fail2ban-client status bookstack to see the stats for the bookstack jail. Is a good idea to do a couple of remote requests (From a phone on a mobile network is often easiest) to ensure the stats increase shortly after failed logins.

I've always found fail2ban config a bit confusing so apologies if the above does not work for you, hopefully it can at least guide you down a path to get things working.

@ssddanbrown commented on GitHub (Jan 3, 2021): Hi @cyb3rl4d, I'm not 100% sure what I'm doing with fail2ban, hence the limited guidance I've provided in the docs, but the following may work. I modelled these steps on the fail2ban installation on my Ubuntu 20.10 desktop system. Create a `/etc/fail2ban/filter.d/bookstack.conf` file with the following: ```ini [Definition] failregex = PHP message: Failed login from .*? client: <HOST> ``` Within your `/etc/fail2ban/jail.local` file (or similar) add bookstack as a service using the filter like so: ``` [bookstack] enabled = true port = http,https logpath = %(nginx_error_log)s filter = bookstack ``` If using apache, you'll need to change `nginx` for `apache` above. Then restart fail2ban (`systemctl restart fail2ban`). When you run `fail2ban-client status` you should then have a `bookstack` item in the output. Then you can run `fail2ban-client status bookstack` to see the stats for the bookstack jail. Is a good idea to do a couple of remote requests (From a phone on a mobile network is often easiest) to ensure the stats increase shortly after failed logins. I've always found fail2ban config a bit confusing so apologies if the above does not work for you, hopefully it can at least guide you down a path to get things working.

OVERLORD commented

2026-02-05 02:26:34 +03:00

@cyb3rl4d commented on GitHub (Jan 3, 2021):

Hi Dan,

Thanks so much for the detailed and quick response!! With your guidance I got it working!!! Thank you!!!
I was trying all kind of complex regex's (trying to follow the docs on fail2ban-regex test app, wow thats complicated!).

Anyway, it didnt work initially until I spotted the "Failed login from" bit, in mine its "for" not "from" so by making that very small change it worked!!! thanks so much!!!

@cyb3rl4d commented on GitHub (Jan 3, 2021): Hi Dan, Thanks so much for the detailed and quick response!! With your guidance I got it working!!! Thank you!!! I was trying all kind of complex regex's (trying to follow the docs on fail2ban-regex test app, wow thats complicated!). Anyway, it didnt work initially until I spotted the "Failed login **from**" bit, in mine its "for" not "from" so by making that very small change it worked!!! thanks so much!!!

OVERLORD commented

2026-02-05 02:26:36 +03:00

@ssddanbrown commented on GitHub (Jan 3, 2021):

@cyb3rl4d Awesome, Glad to hear that worked for you!

@ssddanbrown commented on GitHub (Jan 3, 2021): @cyb3rl4d Awesome, Glad to hear that worked for you!

OVERLORD commented

2026-02-05 02:26:38 +03:00

@horstepipe commented on GitHub (Nov 13, 2021):

hello
could anybody tell me how to edit nginx or php error_log to show real IPs instead of Cloudflares in the log?

@horstepipe commented on GitHub (Nov 13, 2021): hello could anybody tell me how to edit nginx or php error_log to show real IPs instead of Cloudflares in the log?

OVERLORD commented

2026-02-05 02:26:40 +03:00

@ssddanbrown commented on GitHub (Nov 13, 2021):

@horstepipe These may help:

https://danielmiessler.com/blog/getting-real-ip-addresses-using-cloudflare-nginx-and-varnish/
https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

@ssddanbrown commented on GitHub (Nov 13, 2021): @horstepipe These may help: https://danielmiessler.com/blog/getting-real-ip-addresses-using-cloudflare-nginx-and-varnish/ https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2001