I am trying to configure fail2ban to ban ip address if there are failed login attempts. I am not able to figure out where is that information logged..
it is not in apache log, not in syslog and there are NO logs in /var/log/zm (maybe because I have set the log level to ERR)..
what would be best way to capture the failed logins ?
Where is waldo.. i mean log file ... need for fail2ban
-
- Posts: 10
- Joined: Wed Nov 07, 2012 3:27 am
Re: Where is waldo.. i mean log file ... need for fail2ban
I use fail2ban on ubuntu, the log files are in /var/log. fail2ban.log, fail2ban.log.1 and so on.
if ya want to use it for apache log in fails. you need to "enable" apache in fail 2 ban.
the default setting is ssh only.
I might be wrong, but i think you need to use apache basic auth
for fail2ban to work with it. i use htaccess files in the root dir and zm dir.
that's the only way i've used it. and it works. there are several guides on the net for fail2ban.
read the guides and don't forget to EXCLUDE your IP or IP range
good luck with it, it's well worth it
if ya want to use it for apache log in fails. you need to "enable" apache in fail 2 ban.
the default setting is ssh only.
I might be wrong, but i think you need to use apache basic auth
for fail2ban to work with it. i use htaccess files in the root dir and zm dir.
that's the only way i've used it. and it works. there are several guides on the net for fail2ban.
read the guides and don't forget to EXCLUDE your IP or IP range
good luck with it, it's well worth it
- knight-of-ni
- Posts: 2406
- Joined: Thu Oct 18, 2007 1:55 pm
- Location: Shiloh, IL
Re: Where is waldo.. i mean log file ... need for fail2ban
By default zm 1.25 logs all information to the zm database and nowhere else.
To get fail2ban to monitor failed logins, you either need to create a rule that can read from the zm mysql database or reconfigure zm to log to traditional logs files.
To get fail2ban to monitor failed logins, you either need to create a rule that can read from the zm mysql database or reconfigure zm to log to traditional logs files.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/
All of these can be found at https://zoneminder.blogspot.com/
Re: Where is waldo.. i mean log file ... need for fail2ban
Ok,
now I have a question.. does anyone use fail2ban with ZM login and WITHOUT using apache "BASIC AUTH" ?
as i mentioned I've been using it for a while but always with apache basic auth via htaccess files.
i don't see a way to use fail2ban with out it.
thanks
now I have a question.. does anyone use fail2ban with ZM login and WITHOUT using apache "BASIC AUTH" ?
as i mentioned I've been using it for a while but always with apache basic auth via htaccess files.
i don't see a way to use fail2ban with out it.
thanks
Re: Where is waldo.. i mean log file ... need for fail2ban
a search of this using only fail2ban gave me this topic
viewtopic.php?f=21&t=18098&hilit=fail2ban
viewtopic.php?f=21&t=18098&hilit=fail2ban
- knight-of-ni
- Posts: 2406
- Joined: Thu Oct 18, 2007 1:55 pm
- Location: Shiloh, IL
Re: Where is waldo.. i mean log file ... need for fail2ban
Oh my bad.
My assumption was that zoneminder was logging failed logons but was only logging them to the database. Apparrently it only logs successful logon attempts. Seems backwards to me.
Anyway, the link you posted looks right... you need to edit the zoneminder functions.php file as described in the last post. Looks like it is just a one-line change.
This change will generate failed zonemindner logins using zoneminder's integrated authentication.
Once you do that, it will log to wherever the error_log() function writes to.
The author claims that is the apache log, but to have one process write to another process' log file doesn't sound right.
Either way, make the changes and then verify where the events are going:
apache log
zoneminder log folder
zoneminder database
If it really is the apache log file then just follow the rest of the steps in that thread. If not then post back. It will take a few additional changes.
My assumption was that zoneminder was logging failed logons but was only logging them to the database. Apparrently it only logs successful logon attempts. Seems backwards to me.
Anyway, the link you posted looks right... you need to edit the zoneminder functions.php file as described in the last post. Looks like it is just a one-line change.
This change will generate failed zonemindner logins using zoneminder's integrated authentication.
Once you do that, it will log to wherever the error_log() function writes to.
The author claims that is the apache log, but to have one process write to another process' log file doesn't sound right.
Either way, make the changes and then verify where the events are going:
apache log
zoneminder log folder
zoneminder database
If it really is the apache log file then just follow the rest of the steps in that thread. If not then post back. It will take a few additional changes.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/
All of these can be found at https://zoneminder.blogspot.com/
-
- Posts: 10
- Joined: Wed Nov 07, 2012 3:27 am
Re: Where is waldo.. i mean log file ... need for fail2ban
yes it worked.. ! it writes to apache error log..
I wish it was a setting so that I don't have to hack in the file which will get lost when I upgrade this..
I wish it was a setting so that I don't have to hack in the file which will get lost when I upgrade this..
- knight-of-ni
- Posts: 2406
- Joined: Thu Oct 18, 2007 1:55 pm
- Location: Shiloh, IL
Re: Where is waldo.. i mean log file ... need for fail2ban
Yeah, I know what you mean.
You could create a patch file and just remember to run it anytime you upgrade zoneminder.
In my opinion, logging failled attempts is pretty important. You may want to try and post something to the Feature Requests forums (inlucde the patch file to make it easy).
Maybe it will get incorporated into the next release.
I don't know how you installed zoneminder, but you could also try and track down the package maintainer for rpm or deb distros. They might be willing to incorporate it into a future package.
You could create a patch file and just remember to run it anytime you upgrade zoneminder.
In my opinion, logging failled attempts is pretty important. You may want to try and post something to the Feature Requests forums (inlucde the patch file to make it easy).
Maybe it will get incorporated into the next release.
I don't know how you installed zoneminder, but you could also try and track down the package maintainer for rpm or deb distros. They might be willing to incorporate it into a future package.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/
All of these can be found at https://zoneminder.blogspot.com/
-
- Posts: 10
- Joined: Wed Nov 07, 2012 3:27 am
Re: Where is waldo.. i mean log file ... need for fail2ban
knnniggett wrote:Yeah, I know what you mean.
You could create a patch file and just remember to run it anytime you upgrade zoneminder.
In my opinion, logging failled attempts is pretty important. You may want to try and post something to the Feature Requests forums (inlucde the patch file to make it easy).
Maybe it will get incorporated into the next release.
I don't know how you installed zoneminder, but you could also try and track down the package maintainer for rpm or deb distros. They might be willing to incorporate it into a future package.
i don't have enough expertise to create the patch file, just basic vi skills. you had a good suggestion about creating the feature request.
Just created one.. http://www.zoneminder.com/forums/viewto ... =8&t=20527
BTW I installed zm using apt-get.
Re: Where is waldo.. i mean log file ... need for fail2ban
yup,
i would have said just use "apache basic auth" but now that i've started to test 1.25,
it looks like EyeZM doesn't like apache auth, i could be wrong. i've only spent a
few mins on it so far.
so if you want to use fail2ban, you might want to look into the mentioned post
so that you can still use EyeZM with zoneminder.
i have very little experience with 1.25 at the time, if i find a better way i'll post it.
but, if you don't plan on using EyeZM, then i would go the "apache basic auth" route.
it's always worked great for me.
i would have said just use "apache basic auth" but now that i've started to test 1.25,
it looks like EyeZM doesn't like apache auth, i could be wrong. i've only spent a
few mins on it so far.
so if you want to use fail2ban, you might want to look into the mentioned post
so that you can still use EyeZM with zoneminder.
i have very little experience with 1.25 at the time, if i find a better way i'll post it.
but, if you don't plan on using EyeZM, then i would go the "apache basic auth" route.
it's always worked great for me.