Skip to content

Instantly share code, notes, and snippets.

@hmoffatt
Last active May 14, 2019 00:23
Show Gist options
  • Save hmoffatt/f261e43404edf3fd54611a82a0d72968 to your computer and use it in GitHub Desktop.
Save hmoffatt/f261e43404edf3fd54611a82a0d72968 to your computer and use it in GitHub Desktop.
fail2ban filter for Keycloak
# Fail2Ban filter for Keycloak
# Detecting unauthorized access to Keycloak-protected services
# typically logged in /opt/keycloak-x.y.z/standalone/logs/server.log
#
# Installation instructions:
# 1. Copy this file to /etc/fail2ban/filter.d/keycloak.conf
# 2. Enable by adding to jail.local:
# [keycloak]
# enabled = true
# logpath = /opt/keycloak-5.0.0/standalone/log/server.log
[INCLUDES]
# Read syslog common prefixes
before = common.conf
[Definition]
# Sample log lines:
# 2019-05-14 00:01:21,713 WARN [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=my realm, clientId=some_client, userId=null, ipAddress=169.197.108.30, error=invalid_redirect_uri, redirect_uri=https://103.236.162.153/_redirect_uri
# 2019-05-14 10:16:48,197 WARN [org.keycloak.events] (default task-14) type=LOGIN_ERROR, realmId=my realm, clientId=some_client, userId=null, ipAddress=2403:::::503, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://my.company.com/_redirect_uri, code_id=07c2e837-cc0f-4f35-9f27-aed06be16e48, username=joe
_daemon = keycloak
failregex = ^.*type=LOGIN_ERROR,.*ipAddress=<HOST>.*$
ignoreregex =
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment