Page 1 of 1
web_php.log & Fail2Ban -Solved- NEW REGEX -
Posted: Mon Jul 26, 2021 11:44 pm
by Pedulla
In 1.34, fail2ban worked by monitoring /var/log/zm/web_php.log.
In 1.36, this log does not exist.
Is this a change in ZM or a config in PHP?
From scratch install running php7.4, UB20.04 & NGINX on both...
Re: web_php.log & Fail2Ban
Posted: Tue Jul 27, 2021 1:02 am
by bbunge
/var/log/zm/web_php.log does exist.
Ubuntu 20.04, Mariadb, Apache2 & PHP 7.4
Sorry, but my NGINX ZM server was destroyed by the guy that replaced me at the warehouse. If I get a chance in the next few days I'll set up a test machine to check this out.
Re: web_php.log & Fail2Ban
Posted: Tue Jul 27, 2021 4:40 am
by Pedulla
Okay two systems, two results.
I upgraded a 1.34 server to 1.36 and web_php.log is there.
The initial system (which prompted this post) was a from scratch build and it's not there...
I'll repeat the experiment on some VM's... stand by....
Re: web_php.log & Fail2Ban
Posted: Tue Jul 27, 2021 7:04 pm
by bbunge
Just did a 20.04 LEMP from a basic mini.iso "bare" install. Used the WIKI procedure for LEMP 1.34 but used 1.36. /var/log/zm/web_php.log is there.
Suspect that using a VM could be an issue. I almost never use a VM to run Zoneminder unless it is for testing and that is very rare.
Re: web_php.log & Fail2Ban
Posted: Wed Jul 28, 2021 12:10 am
by Pedulla
!!Solution!!
Need to have LOG_LEVEL_FILE set to at least Error in Options.Logging.
This makes total sense when you think about it...
Re: web_php.log & Fail2Ban -Solved-
Posted: Wed Sep 08, 2021 11:06 pm
by Pedulla
!!Update to fail2ban regex!!
The regex for zoneminder needs to read:
Code: Select all
failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\].*includes/auth.php
datepattern = ^%%m/%%d/%%y %%H:%%M:%%S(?:\.%%f)
This gets both no user AND failed password.
Must have been a change somewhere along the way.
Re: web_php.log & Fail2Ban -Solved- NEW REGEX -
Posted: Fri Sep 10, 2021 5:54 pm
by iconnor
I have included this in the ZM distro under misc/fail2ban.rules