Fail2Ban integration

[gmar_87]

I've forked the latest version of Fail2Ban and added a filter and jail configuration for ZoneMinder failed web logins.
My changes can be viewed on Github and will hopefully be included in future versions of Fail2Ban.
https://github.com/fail2ban/fail2ban/co ... arz:master

Basically, add the following to /etc/fail2ban/jail.conf

Code: Select all

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
enabled = true
port    = http,https
filter  = zoneminder
logpath = /var/log/apache*/*error.log
maxretry = 3

And create the following file /etc/fail2ban/filter.d/zoneminder.conf

Code: Select all

# Fail2Ban filter for Zoneminder login failures
#

[Definition]

# patern :      [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/
#
#
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)


failregex = [[]client <HOST>:\d\d\d\d\d] WAR [[]Login denied for user

ignoreregex =

# Notes:
#	Tested on Zoneminder 1.29.0
#
# Author: John Marzella

[PacoLM]

Nice job! I just added to my fail2ban configuration.

Thanks!

[Miaou75]

Hi guys,

I got fail2ban working fine with sshd, but not with zoneminder.
I used your updated conf files on your github, enabled it, i can see the "login denied" on the apache2 error.log file but it does nothing.
When I try "fail2ban-client status zoneminder" I have 0 failed, why ?

What am I missing ?

Thanks for you help.

Miaou

[gmar_87]

Hi guys,

I got fail2ban working fine with sshd, but not with zoneminder.
I used your updated conf files on your github, enabled it, i can see the "login denied" on the apache2 error.log file but it does nothing.
When I try "fail2ban-client status zoneminder" I have 0 failed, why ?

What am I missing ?

Thanks for you help.

Miaou

I've made some changes to the filter since posting this.
The old filter should work, but here is is the new regex that is less greedy.

Code: Select all

failregex = ^\[\](?: \[:error\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] WAR \[Login denied for user "[^"]*"\]

Also, if you copied directly from github, you may need to change the following line in jail.conf

Code: Select all

logpath = %(apache_error_log)s

to

Code: Select all

logpath = /var/log/apache*/*error.log

If the above doesn't fix your issue, post your config and fail2ban version here and will check.

[Miaou75]

Hi guys,
I purged then installed fail2ban again and I managed to make it works perfectly fallowing your steps.
Thaks again

[Drarox]

Hi Guys,

Thank you for your code gmar_87.
I just added it to my fail2ban configuration but I don't get the failed login errors in my apache log (/var/log/apache*/*error.log) so it's not working.
Can someone tell me how to have theses logs in my apache log please? Is there an option in the configuration of zm to do it or do I have to add a function manually to my zm?

Thank you

[gmar_87]

Hi Guys,

Thank you for your code gmar_87.
I just added it to my fail2ban configuration but I don't get the failed login errors in my apache log (/var/log/apache*/*error.log) so it's not working.
Can someone tell me how to have theses logs in my apache log please? Is there an option in the configuration of zm to do it or do I have to add a function manually to my zm?

Thank you

You either need to:
1. Change the zoneminder log location in fail2ban's jail conf for zoneminder to your OS syslog
2. Enable web logging for warning level logs (Zoneminder web interface > Options > Logging > LOG_LEVEL_WEBLOG > Warning)

[Drarox]

You either need to:
1. Change the zoneminder log location in fail2ban's jail conf for zoneminder to your OS syslog
2. Enable web logging for warning level logs (Zoneminder web interface > Options > Logging > LOG_LEVEL_WEBLOG > Warning)

Thank you for your answer gmar_87

I used the second solution, I just had to change the [:error\] to [php7:notice\] in the regex of my zoneminder for my case and now It's perfectly working

[noise]

Hi all

have anyone a working failregex with nginx ?

the only one log i found with nginx and zoneminder are:
/var/log/nginx/error.log

Code: Select all

[error] 1619#1619: *3608 FastCGI sent in stderr: "PHP message: ERR [Could not retrieve user root details]" while reading response header from upstream, client: 192.118.199.165, server: 192.168.0.20, request: "POST /zm/index.php? HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "192.168.0.20", referrer: "http://192.168.0.20/zm/index.php?"

[sagitt]

works with zoneminder 1.34.9 and ubuntu 18.04.4
Fail2ban version: 0.10.2-2

I edited it for new version and added in case of wrong user. Now is "ERR" and not "WAR"
Of course need to enable WARNING as explained up.

/etc/filter.d/zoneminder.conf

Code: Select all

# Fail2Ban filter for Zoneminder login failures

[INCLUDES]
before = apache-common.conf

[Definition]

# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php
# pattern: [Wed Apr 27 23:12:07.736196 2016] [php7:notice] [pid 2460] [client 10.1.1.1:47296] ERR [Login denied for user "test"], referer: https://zoneminderurl/index.php
# pattern: [Wed Apr 27 23:12:07.736196 2016] [php7:notice] [pid 2460] [client 10.1.1.1:47296] ERR [Could not retrieve user test details], referer: https://zoneminderurl/index.php
#
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile.

#failregex = 
failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
            ^\[\](?: \[php7:notice\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] ERR \[Login denied for user "[^"]*"\]
            ^\[\](?: \[php7:notice\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] ERR \[Could not retrieve user [^"]*\]

ignoreregex =

# Notes:
#	Tested on Zoneminder 1.34.9
#
# Author: John Marzella
# Edited: Sagitt Cyber

/etc/fail2ban/jail.conf (make backup)

Code: Select all

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
enabled  = true
#port    = http,https
port     = http,https
filter   = zoneminder
#logpath = %(apache_error_log)s
logpath  = /var/log/apache2/error.log
bantime  = 24h
findtime = 10m
maxretry = 3

LOGGING.png (44.99 KiB) Viewed 12662 times

[noise]

thanks for the update... but i think changing the path to nginx are no working... have no one a zoneminder with nginx and fail2ban ?