Where is waldo.. i mean log file ... need for fail2ban

[hoolahoous]

I am trying to configure fail2ban to ban ip address if there are failed login attempts. I am not able to figure out where is that information logged..
it is not in apache log, not in syslog and there are NO logs in /var/log/zm (maybe because I have set the log level to ERR)..
what would be best way to capture the failed logins ?

[river100]

I use fail2ban on ubuntu, the log files are in /var/log. fail2ban.log, fail2ban.log.1 and so on.
if ya want to use it for apache log in fails. you need to "enable" apache in fail 2 ban.
the default setting is ssh only.
I might be wrong, but i think you need to use apache basic auth
for fail2ban to work with it. i use htaccess files in the root dir and zm dir.
that's the only way i've used it. and it works. there are several guides on the net for fail2ban.
read the guides and don't forget to EXCLUDE your IP or IP range
good luck with it, it's well worth it

[knight-of-ni]

By default zm 1.25 logs all information to the zm database and nowhere else.

To get fail2ban to monitor failed logins, you either need to create a rule that can read from the zm mysql database or reconfigure zm to log to traditional logs files.

[river100]

Ok,

now I have a question.. does anyone use fail2ban with ZM login and WITHOUT using apache "BASIC AUTH" ?

as i mentioned I've been using it for a while but always with apache basic auth via htaccess files.

i don't see a way to use fail2ban with out it.
thanks

[river100]

a search of this using only fail2ban gave me this topic

viewtopic.php?f=21&t=18098&hilit=fail2ban

[knight-of-ni]

Oh my bad.
My assumption was that zoneminder was logging failed logons but was only logging them to the database. Apparrently it only logs successful logon attempts. Seems backwards to me.

Anyway, the link you posted looks right... you need to edit the zoneminder functions.php file as described in the last post. Looks like it is just a one-line change.
This change will generate failed zonemindner logins using zoneminder's integrated authentication.

Once you do that, it will log to wherever the error_log() function writes to.
The author claims that is the apache log, but to have one process write to another process' log file doesn't sound right.

Either way, make the changes and then verify where the events are going:
apache log
zoneminder log folder
zoneminder database

If it really is the apache log file then just follow the rest of the steps in that thread. If not then post back. It will take a few additional changes.

[hoolahoous]

yes it worked.. ! it writes to apache error log..
I wish it was a setting so that I don't have to hack in the file which will get lost when I upgrade this..

[knight-of-ni]

Yeah, I know what you mean.
You could create a patch file and just remember to run it anytime you upgrade zoneminder.

In my opinion, logging failled attempts is pretty important. You may want to try and post something to the Feature Requests forums (inlucde the patch file to make it easy).
Maybe it will get incorporated into the next release.

I don't know how you installed zoneminder, but you could also try and track down the package maintainer for rpm or deb distros. They might be willing to incorporate it into a future package.

[hoolahoous]

Yeah, I know what you mean.
You could create a patch file and just remember to run it anytime you upgrade zoneminder.

In my opinion, logging failled attempts is pretty important. You may want to try and post something to the Feature Requests forums (inlucde the patch file to make it easy).
Maybe it will get incorporated into the next release.

I don't know how you installed zoneminder, but you could also try and track down the package maintainer for rpm or deb distros. They might be willing to incorporate it into a future package.

i don't have enough expertise to create the patch file, just basic vi skills. you had a good suggestion about creating the feature request.
Just created one.. http://www.zoneminder.com/forums/viewto ... =8&t=20527
BTW I installed zm using apt-get.

[river100]

yup,
i would have said just use "apache basic auth" but now that i've started to test 1.25,
it looks like EyeZM doesn't like apache auth, i could be wrong. i've only spent a
few mins on it so far.

so if you want to use fail2ban, you might want to look into the mentioned post
so that you can still use EyeZM with zoneminder.

i have very little experience with 1.25 at the time, if i find a better way i'll post it.

but, if you don't plan on using EyeZM, then i would go the "apache basic auth" route.
it's always worked great for me.