Fail2Ban on Ubuntu 11.04 + Zoneminder 1.24.4

[gmar_87]

I have installed Fail2Ban and got it working with SSH, but i can't find the correct log for Zoneminder logins and Webmin logins...
Does any one know where failed login attempts to Zoneminder via HTTP and Webmin via HTTPS are stored?
I have checked /var/log/apache2 but doesn't seem to log there...

[gmar_87]

Does any one know how to log login failures to zoneminder?

[FeraTechInc]

Here is a start. To be honest though there is no easy way since it depends on how the authentication is handled by zonerider.

http://www.jquantlib.org/index.php/Prot ... _on_Debian

[gmar_87]

Here is a start. To be honest though there is no easy way since it depends on how the authentication is handled by zonerider.

http://www.jquantlib.org/index.php/Prot ... _on_Debian

Thanks FeraTechInc, but I'm having trouble locating where Zoneminder logs authentication. It looks like its not logged at all!

Do you know how authentication to Zoneminder is handled and how to activate logging for this?

[gmar_87]

Got Webmin logins working with Fail2Ban. Add this to jail.conf

Code: Select all

[webmin-iptables]

enabled = true
port = webmin
filter = webmin-auth
logpath = /var/log/auth.log
maxretry = 3

Still trying to get Zoneminder login page working...

[gmar_87]

Finally had some more time to look into this and got it working!
Failed web logins are now logged to apache error log.
I modified the userLogin function in /var/www/zm/includes/functions.php to create log entries on failures.

Code: Select all

function userLogin( $username, $password="", $passwordHashed=false )
{
    global $user, $cookies;

    $dbUsername = dbEscape($username);
    $dbPassword = dbEscape($password);

    if ( ZM_AUTH_TYPE == "builtin" )
    {
        if ( $passwordHashed )
        {
            $sql = "select * from Users where Username = '".$dbUsername."' and Password = '".$dbPassword."' and Enabled = 1";
        }
        else
        {
            $sql = "select * from Users where Username = '".$dbUsername."' and Password = password('".$dbPassword."') and Enabled = 1";
        }
    }
    else
    {
        $sql = "select * from Users where Username = '".$dbUsername."' and Enabled = 1";
    }
    $_SESSION['username'] = $username;
    if ( ZM_AUTH_RELAY == "plain" )
    {
        // Need to save this in session
        $_SESSION['password'] = $password;
    }
    $_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking
    if ( $dbUser = dbFetchOne( $sql ) )
    {
        $_SESSION['user'] = $user = $dbUser;
        if ( ZM_AUTH_TYPE == "builtin" )
        {
            $_SESSION['passwordHash'] = $user['Password'];
        }
    }
    else
    {
        unset( $user );
        //Added 05/09/2011 by John Marzella
        //Log username and password auth failure from web interface
        error_log( "Unable to authenticate ZM web user with username '$username' and password '$password'" );
    }
    if ( $cookies )
        session_write_close();
}

I created a Fail2Ban filter called zoneminder.conf

Code: Select all

# Fail2Ban configuration file
#
# Author: John Marzella
#
# Created : 05/09/2011
#
#


[Definition]

# patern :      [client 10.1.2.3] Unable to authenticate ZM web user with username 'admin' and password '', referer: http://10.1.2.3/index.php
#               [client 10.1.2.3] Unable to authenticate ZM web user with username 'admin' and password 'admin', referer: http://10.1.2.3/index.php
#
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = [[]client <HOST>[]] Unable to authenticate ZM web user*


# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

and added this to Fail2Ban's jail.conf

Code: Select all

[zoneminder]

enabled = true
port    = http,https
filter  = zoneminder
logpath = /var/log/apache*/*error.log
maxretry = 3

Now clients are blocked after 3 failed login attempts.

[gavinp]

Thanks for posting this - an old post I know but a good one!

This also works a treat on Ubuntu 12.04LTS server and Zoneminder 1.25

Cheers

Gavin

[gmar_87]

I've added a fail2ban filter and jail conf for Zoneminder 1.29.0.

https://github.com/fail2ban/fail2ban/co ... arz:master

viewtopic.php?f=9&t=24470