Fail2Ban integration

If you've made a patch to quick fix a bug or to add a new feature not yet in the main tree then post it here so others can try it out.
Post Reply
gmar_87
Posts: 72
Joined: Sat Aug 13, 2011 11:38 pm
Location: Melbourne, Australia

Fail2Ban integration

Post by gmar_87 »

I've forked the latest version of Fail2Ban and added a filter and jail configuration for ZoneMinder failed web logins.
My changes can be viewed on Github and will hopefully be included in future versions of Fail2Ban.
https://github.com/fail2ban/fail2ban/co ... arz:master

Basically, add the following to /etc/fail2ban/jail.conf

Code: Select all

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
enabled = true
port    = http,https
filter  = zoneminder
logpath = /var/log/apache*/*error.log
maxretry = 3
And create the following file /etc/fail2ban/filter.d/zoneminder.conf

Code: Select all

# Fail2Ban filter for Zoneminder login failures
#

[Definition]

# patern :      [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/
#
#
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)


failregex = [[]client <HOST>:\d\d\d\d\d] WAR [[]Login denied for user

ignoreregex =

# Notes:
#	Tested on Zoneminder 1.29.0
#
# Author: John Marzella
PacoLM
Posts: 971
Joined: Wed Dec 02, 2009 9:55 pm
Location: Spain

Re: Fail2Ban integration

Post by PacoLM »

Nice job! I just added to my fail2ban configuration.

Thanks!

After more than 15 years, no longer using ZM as surveillance system.
Now in the dark side, using a commercial system...
Miaou75
Posts: 2
Joined: Sun May 01, 2016 10:09 am

Re: Fail2Ban integration

Post by Miaou75 »

Hi guys,

I got fail2ban working fine with sshd, but not with zoneminder.
I used your updated conf files on your github, enabled it, i can see the "login denied" on the apache2 error.log file but it does nothing.
When I try "fail2ban-client status zoneminder" I have 0 failed, why ?

What am I missing ?

Thanks for you help.

Miaou
gmar_87
Posts: 72
Joined: Sat Aug 13, 2011 11:38 pm
Location: Melbourne, Australia

Re: Fail2Ban integration

Post by gmar_87 »

Miaou75 wrote:Hi guys,

I got fail2ban working fine with sshd, but not with zoneminder.
I used your updated conf files on your github, enabled it, i can see the "login denied" on the apache2 error.log file but it does nothing.
When I try "fail2ban-client status zoneminder" I have 0 failed, why ?

What am I missing ?

Thanks for you help.

Miaou

I've made some changes to the filter since posting this.
The old filter should work, but here is is the new regex that is less greedy.

Code: Select all

failregex = ^\[\](?: \[:error\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] WAR \[Login denied for user "[^"]*"\]
Also, if you copied directly from github, you may need to change the following line in jail.conf

Code: Select all

logpath = %(apache_error_log)s
to

Code: Select all

logpath = /var/log/apache*/*error.log
If the above doesn't fix your issue, post your config and fail2ban version here and will check.
Miaou75
Posts: 2
Joined: Sun May 01, 2016 10:09 am

Re: Fail2Ban integration

Post by Miaou75 »

Hi guys,
I purged then installed fail2ban again and I managed to make it works perfectly fallowing your steps.
Thaks again
Drarox
Posts: 2
Joined: Thu Feb 14, 2019 5:00 pm

Re: Fail2Ban integration

Post by Drarox »

Hi Guys,

Thank you for your code gmar_87.
I just added it to my fail2ban configuration but I don't get the failed login errors in my apache log (/var/log/apache*/*error.log) so it's not working.
Can someone tell me how to have theses logs in my apache log please? Is there an option in the configuration of zm to do it or do I have to add a function manually to my zm?

Thank you :)
gmar_87
Posts: 72
Joined: Sat Aug 13, 2011 11:38 pm
Location: Melbourne, Australia

Re: Fail2Ban integration

Post by gmar_87 »

Drarox wrote: Thu Feb 14, 2019 5:10 pm Hi Guys,

Thank you for your code gmar_87.
I just added it to my fail2ban configuration but I don't get the failed login errors in my apache log (/var/log/apache*/*error.log) so it's not working.
Can someone tell me how to have theses logs in my apache log please? Is there an option in the configuration of zm to do it or do I have to add a function manually to my zm?

Thank you :)
You either need to:
1. Change the zoneminder log location in fail2ban's jail conf for zoneminder to your OS syslog
2. Enable web logging for warning level logs (Zoneminder web interface > Options > Logging > LOG_LEVEL_WEBLOG > Warning)
Drarox
Posts: 2
Joined: Thu Feb 14, 2019 5:00 pm

Re: Fail2Ban integration

Post by Drarox »

gmar_87 wrote: Fri Feb 15, 2019 10:23 am
You either need to:
1. Change the zoneminder log location in fail2ban's jail conf for zoneminder to your OS syslog
2. Enable web logging for warning level logs (Zoneminder web interface > Options > Logging > LOG_LEVEL_WEBLOG > Warning)
Thank you for your answer gmar_87 :)

I used the second solution, I just had to change the [:error\] to [php7:notice\] in the regex of my zoneminder for my case and now It's perfectly working :D
noise
Posts: 3
Joined: Sun Apr 09, 2017 5:44 pm

Re: Fail2Ban integration

Post by noise »

Hi all

have anyone a working failregex with nginx ?

the only one log i found with nginx and zoneminder are:
/var/log/nginx/error.log

Code: Select all

[error] 1619#1619: *3608 FastCGI sent in stderr: "PHP message: ERR [Could not retrieve user root details]" while reading response header from upstream, client: 192.118.199.165, server: 192.168.0.20, request: "POST /zm/index.php? HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "192.168.0.20", referrer: "http://192.168.0.20/zm/index.php?"
sagitt
Posts: 39
Joined: Mon Apr 30, 2012 1:13 pm

Re: Fail2Ban integration

Post by sagitt »

works with zoneminder 1.34.9 and ubuntu 18.04.4
Fail2ban version: 0.10.2-2

I edited it for new version and added in case of wrong user. Now is "ERR" and not "WAR"
Of course need to enable WARNING as explained up.

/etc/filter.d/zoneminder.conf

Code: Select all

# Fail2Ban filter for Zoneminder login failures

[INCLUDES]
before = apache-common.conf

[Definition]

# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php
# pattern: [Wed Apr 27 23:12:07.736196 2016] [php7:notice] [pid 2460] [client 10.1.1.1:47296] ERR [Login denied for user "test"], referer: https://zoneminderurl/index.php
# pattern: [Wed Apr 27 23:12:07.736196 2016] [php7:notice] [pid 2460] [client 10.1.1.1:47296] ERR [Could not retrieve user test details], referer: https://zoneminderurl/index.php
#
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile.

#failregex = 
failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
            ^\[\](?: \[php7:notice\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] ERR \[Login denied for user "[^"]*"\]
            ^\[\](?: \[php7:notice\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] ERR \[Could not retrieve user [^"]*\]

ignoreregex =

# Notes:
#	Tested on Zoneminder 1.34.9
#
# Author: John Marzella
# Edited: Sagitt Cyber

/etc/fail2ban/jail.conf (make backup)

Code: Select all

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
enabled  = true
#port    = http,https
port     = http,https
filter   = zoneminder
#logpath = %(apache_error_log)s
logpath  = /var/log/apache2/error.log
bantime  = 24h
findtime = 10m
maxretry = 3
LOGGING.png
LOGGING.png (44.99 KiB) Viewed 11266 times
noise
Posts: 3
Joined: Sun Apr 09, 2017 5:44 pm

Re: Fail2Ban integration

Post by noise »

thanks for the update... but i think changing the path to nginx are no working... have no one a zoneminder with nginx and fail2ban ?
Post Reply