Page 1 of 1

Fail2Ban integration

Posted: Wed Mar 30, 2016 10:29 am
by gmar_87
I've forked the latest version of Fail2Ban and added a filter and jail configuration for ZoneMinder failed web logins.
My changes can be viewed on Github and will hopefully be included in future versions of Fail2Ban.
https://github.com/fail2ban/fail2ban/co ... arz:master

Basically, add the following to /etc/fail2ban/jail.conf

Code: Select all

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
enabled = true
port    = http,https
filter  = zoneminder
logpath = /var/log/apache*/*error.log
maxretry = 3
And create the following file /etc/fail2ban/filter.d/zoneminder.conf

Code: Select all

# Fail2Ban filter for Zoneminder login failures
#

[Definition]

# patern :      [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/
#
#
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)


failregex = [[]client <HOST>:\d\d\d\d\d] WAR [[]Login denied for user

ignoreregex =

# Notes:
#	Tested on Zoneminder 1.29.0
#
# Author: John Marzella

Re: Fail2Ban integration

Posted: Wed Apr 13, 2016 6:41 am
by PacoLM
Nice job! I just added to my fail2ban configuration.

Thanks!

Re: Fail2Ban integration

Posted: Sun May 01, 2016 10:37 am
by Miaou75
Hi guys,

I got fail2ban working fine with sshd, but not with zoneminder.
I used your updated conf files on your github, enabled it, i can see the "login denied" on the apache2 error.log file but it does nothing.
When I try "fail2ban-client status zoneminder" I have 0 failed, why ?

What am I missing ?

Thanks for you help.

Miaou

Re: Fail2Ban integration

Posted: Tue May 03, 2016 12:12 pm
by gmar_87
Miaou75 wrote:Hi guys,

I got fail2ban working fine with sshd, but not with zoneminder.
I used your updated conf files on your github, enabled it, i can see the "login denied" on the apache2 error.log file but it does nothing.
When I try "fail2ban-client status zoneminder" I have 0 failed, why ?

What am I missing ?

Thanks for you help.

Miaou

I've made some changes to the filter since posting this.
The old filter should work, but here is is the new regex that is less greedy.

Code: Select all

failregex = ^\[\](?: \[:error\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] WAR \[Login denied for user "[^"]*"\]
Also, if you copied directly from github, you may need to change the following line in jail.conf

Code: Select all

logpath = %(apache_error_log)s
to

Code: Select all

logpath = /var/log/apache*/*error.log
If the above doesn't fix your issue, post your config and fail2ban version here and will check.

Re: Fail2Ban integration

Posted: Fri May 20, 2016 8:21 pm
by Miaou75
Hi guys,
I purged then installed fail2ban again and I managed to make it works perfectly fallowing your steps.
Thaks again

Re: Fail2Ban integration

Posted: Thu Feb 14, 2019 5:10 pm
by Drarox
Hi Guys,

Thank you for your code gmar_87.
I just added it to my fail2ban configuration but I don't get the failed login errors in my apache log (/var/log/apache*/*error.log) so it's not working.
Can someone tell me how to have theses logs in my apache log please? Is there an option in the configuration of zm to do it or do I have to add a function manually to my zm?

Thank you :)

Re: Fail2Ban integration

Posted: Fri Feb 15, 2019 10:23 am
by gmar_87
Drarox wrote:
Thu Feb 14, 2019 5:10 pm
Hi Guys,

Thank you for your code gmar_87.
I just added it to my fail2ban configuration but I don't get the failed login errors in my apache log (/var/log/apache*/*error.log) so it's not working.
Can someone tell me how to have theses logs in my apache log please? Is there an option in the configuration of zm to do it or do I have to add a function manually to my zm?

Thank you :)
You either need to:
1. Change the zoneminder log location in fail2ban's jail conf for zoneminder to your OS syslog
2. Enable web logging for warning level logs (Zoneminder web interface > Options > Logging > LOG_LEVEL_WEBLOG > Warning)

Re: Fail2Ban integration

Posted: Fri Feb 15, 2019 5:58 pm
by Drarox
gmar_87 wrote:
Fri Feb 15, 2019 10:23 am

You either need to:
1. Change the zoneminder log location in fail2ban's jail conf for zoneminder to your OS syslog
2. Enable web logging for warning level logs (Zoneminder web interface > Options > Logging > LOG_LEVEL_WEBLOG > Warning)
Thank you for your answer gmar_87 :)

I used the second solution, I just had to change the [:error\] to [php7:notice\] in the regex of my zoneminder for my case and now It's perfectly working :D

Re: Fail2Ban integration

Posted: Sat Oct 26, 2019 7:43 pm
by noise
Hi all

have anyone a working failregex with nginx ?

the only one log i found with nginx and zoneminder are:
/var/log/nginx/error.log

Code: Select all

[error] 1619#1619: *3608 FastCGI sent in stderr: "PHP message: ERR [Could not retrieve user root details]" while reading response header from upstream, client: 192.118.199.165, server: 192.168.0.20, request: "POST /zm/index.php? HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "192.168.0.20", referrer: "http://192.168.0.20/zm/index.php?"

Re: Fail2Ban integration

Posted: Tue Apr 14, 2020 10:14 pm
by sagitt
works with zoneminder 1.34.9 and ubuntu 18.04.4
Fail2ban version: 0.10.2-2

I edited it for new version and added in case of wrong user. Now is "ERR" and not "WAR"
Of course need to enable WARNING as explained up.

/etc/filter.d/zoneminder.conf

Code: Select all

# Fail2Ban filter for Zoneminder login failures

[INCLUDES]
before = apache-common.conf

[Definition]

# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php
# pattern: [Wed Apr 27 23:12:07.736196 2016] [php7:notice] [pid 2460] [client 10.1.1.1:47296] ERR [Login denied for user "test"], referer: https://zoneminderurl/index.php
# pattern: [Wed Apr 27 23:12:07.736196 2016] [php7:notice] [pid 2460] [client 10.1.1.1:47296] ERR [Could not retrieve user test details], referer: https://zoneminderurl/index.php
#
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile.

#failregex = 
failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
            ^\[\](?: \[php7:notice\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] ERR \[Login denied for user "[^"]*"\]
            ^\[\](?: \[php7:notice\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] ERR \[Could not retrieve user [^"]*\]

ignoreregex =

# Notes:
#	Tested on Zoneminder 1.34.9
#
# Author: John Marzella
# Edited: Sagitt Cyber

/etc/fail2ban/jail.conf (make backup)

Code: Select all

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
enabled  = true
#port    = http,https
port     = http,https
filter   = zoneminder
#logpath = %(apache_error_log)s
logpath  = /var/log/apache2/error.log
bantime  = 24h
findtime = 10m
maxretry = 3
LOGGING.png
LOGGING.png (44.99 KiB) Viewed 4127 times

Re: Fail2Ban integration

Posted: Thu Aug 06, 2020 10:55 am
by noise
thanks for the update... but i think changing the path to nginx are no working... have no one a zoneminder with nginx and fail2ban ?