Fail2Ban Regex

[clipo]

Since ZM 1.35+ the login auth has changed resulting in the default Zoneminder fail2ban Regex no longer working

The below is a working Regex for the jail.local file tested on ZM 1.36.19

This is taken from the below site and placed here for others to find easy.

https://github.com/fail2ban/fail2ban/issues/2643

Code: Select all

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures from /var/log/zm/web_php.log error log
enabled = true
port    = http,https
logpath = /var/log/zm/web_php.log
# Below is the Regex filer that would normally live within the filter.d zoneminder.conf file
filter =
failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\].*includes/auth.php
datepattern = ^%%m/%%d/%%y %%H:%%M:%%S(?:\.%%f)

Edit : The above Regex is now taken from the ZM git misc folder.

[clipo]

Starting with 1.36.20 the above Regex will no longer work due to the DATETIME_FORMAT_PATTERN including time zone information and not following the previous pattern as used by ZM

To resolve this enter the following into the Options / System / DATETIME_FORMAT_PATTERN

yyyy/MM/dd HH:mm:ss

And then used the slightly simplified Regex below that has the datepattern removed to allow the Fail2ban built in datepatterns to work.

Code: Select all

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures from /var/log/zm/web_php.log error log
enabled = true
port    = http,https
logpath = /var/log/zm/web_php.log
# Below is the Regex filer that would normally live within the filter.d zoneminder.conf file
filter =
failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\].*includes/auth.php

l

[NotSoWittyName]

Thanks for this. Just to confirm this is still working with 1.36.31.

[clipo]

Can anyone confirm that

web_php.log

is the only file that ZM writes access errors too.