Fail2Ban on Ubuntu 11.04 + Zoneminder 1.24.4

Forum for questions and support relating to the 1.24.x releases only.
Locked
gmar_87
Posts: 72
Joined: Sat Aug 13, 2011 11:38 pm
Location: Melbourne, Australia

Fail2Ban on Ubuntu 11.04 + Zoneminder 1.24.4

Post by gmar_87 »

I have installed Fail2Ban and got it working with SSH, but i can't find the correct log for Zoneminder logins and Webmin logins...
Does any one know where failed login attempts to Zoneminder via HTTP and Webmin via HTTPS are stored?
I have checked /var/log/apache2 but doesn't seem to log there...
gmar_87
Posts: 72
Joined: Sat Aug 13, 2011 11:38 pm
Location: Melbourne, Australia

Re: Fail2Ban on Ubuntu 11.04 + Zoneminder 1.24.4

Post by gmar_87 »

Does any one know how to log login failures to zoneminder?
FeraTechInc
Posts: 17
Joined: Mon Aug 15, 2011 4:27 pm

Re: Fail2Ban on Ubuntu 11.04 + Zoneminder 1.24.4

Post by FeraTechInc »

Here is a start. To be honest though there is no easy way since it depends on how the authentication is handled by zonerider.

http://www.jquantlib.org/index.php/Prot ... _on_Debian
gmar_87
Posts: 72
Joined: Sat Aug 13, 2011 11:38 pm
Location: Melbourne, Australia

Re: Fail2Ban on Ubuntu 11.04 + Zoneminder 1.24.4

Post by gmar_87 »

FeraTechInc wrote:Here is a start. To be honest though there is no easy way since it depends on how the authentication is handled by zonerider.

http://www.jquantlib.org/index.php/Prot ... _on_Debian
Thanks FeraTechInc, but I'm having trouble locating where Zoneminder logs authentication. It looks like its not logged at all!

Do you know how authentication to Zoneminder is handled and how to activate logging for this?
gmar_87
Posts: 72
Joined: Sat Aug 13, 2011 11:38 pm
Location: Melbourne, Australia

Re: Fail2Ban on Ubuntu 11.04 + Zoneminder 1.24.4

Post by gmar_87 »

Got Webmin logins working with Fail2Ban. Add this to jail.conf

Code: Select all

[webmin-iptables]

enabled = true
port = webmin
filter = webmin-auth
logpath = /var/log/auth.log
maxretry = 3
Still trying to get Zoneminder login page working...
gmar_87
Posts: 72
Joined: Sat Aug 13, 2011 11:38 pm
Location: Melbourne, Australia

Re: Fail2Ban on Ubuntu 11.04 + Zoneminder 1.24.4

Post by gmar_87 »

Finally had some more time to look into this and got it working! :)
Failed web logins are now logged to apache error log.
I modified the userLogin function in /var/www/zm/includes/functions.php to create log entries on failures.

Code: Select all

function userLogin( $username, $password="", $passwordHashed=false )
{
    global $user, $cookies;

    $dbUsername = dbEscape($username);
    $dbPassword = dbEscape($password);

    if ( ZM_AUTH_TYPE == "builtin" )
    {
        if ( $passwordHashed )
        {
            $sql = "select * from Users where Username = '".$dbUsername."' and Password = '".$dbPassword."' and Enabled = 1";
        }
        else
        {
            $sql = "select * from Users where Username = '".$dbUsername."' and Password = password('".$dbPassword."') and Enabled = 1";
        }
    }
    else
    {
        $sql = "select * from Users where Username = '".$dbUsername."' and Enabled = 1";
    }
    $_SESSION['username'] = $username;
    if ( ZM_AUTH_RELAY == "plain" )
    {
        // Need to save this in session
        $_SESSION['password'] = $password;
    }
    $_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking
    if ( $dbUser = dbFetchOne( $sql ) )
    {
        $_SESSION['user'] = $user = $dbUser;
        if ( ZM_AUTH_TYPE == "builtin" )
        {
            $_SESSION['passwordHash'] = $user['Password'];
        }
    }
    else
    {
        unset( $user );
        //Added 05/09/2011 by John Marzella
        //Log username and password auth failure from web interface
        error_log( "Unable to authenticate ZM web user with username '$username' and password '$password'" );
    }
    if ( $cookies )
        session_write_close();
}
I created a Fail2Ban filter called zoneminder.conf

Code: Select all

# Fail2Ban configuration file
#
# Author: John Marzella
#
# Created : 05/09/2011
#
#


[Definition]

# patern :      [client 10.1.2.3] Unable to authenticate ZM web user with username 'admin' and password '', referer: http://10.1.2.3/index.php
#               [client 10.1.2.3] Unable to authenticate ZM web user with username 'admin' and password 'admin', referer: http://10.1.2.3/index.php
#
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = [[]client <HOST>[]] Unable to authenticate ZM web user*


# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
and added this to Fail2Ban's jail.conf

Code: Select all

[zoneminder]

enabled = true
port    = http,https
filter  = zoneminder
logpath = /var/log/apache*/*error.log
maxretry = 3
Now clients are blocked after 3 failed login attempts.
gavinp
Posts: 2
Joined: Sun Jul 28, 2013 4:27 pm

Re: Fail2Ban on Ubuntu 11.04 + Zoneminder 1.24.4

Post by gavinp »

Thanks for posting this - an old post I know but a good one!

This also works a treat on Ubuntu 12.04LTS server and Zoneminder 1.25

Cheers

Gavin
gmar_87
Posts: 72
Joined: Sat Aug 13, 2011 11:38 pm
Location: Melbourne, Australia

Re: Fail2Ban on Ubuntu 11.04 + Zoneminder 1.24.4

Post by gmar_87 »

I've added a fail2ban filter and jail conf for Zoneminder 1.29.0.

https://github.com/fail2ban/fail2ban/co ... arz:master

viewtopic.php?f=9&t=24470
Locked