Fail2Ban Regex

Discussions related to the 1.36.x series of ZoneMinder
Post Reply
clipo
Posts: 101
Joined: Sat Sep 06, 2008 9:55 am
Location: Manchester, UK
Contact:

Fail2Ban Regex

Post by clipo »

Since ZM 1.35+ the login auth has changed resulting in the default Zoneminder fail2ban Regex no longer working

The below is a working Regex for the jail.local file tested on ZM 1.36.19

This is taken from the below site and placed here for others to find easy.

https://github.com/fail2ban/fail2ban/issues/2643

Code: Select all

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures from /var/log/zm/web_php.log error log
enabled = true
port    = http,https
logpath = /var/log/zm/web_php.log
# Below is the Regex filer that would normally live within the filter.d zoneminder.conf file
filter =
failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\].*includes/auth.php
datepattern = ^%%m/%%d/%%y %%H:%%M:%%S(?:\.%%f)
Edit : The above Regex is now taken from the ZM git misc folder.
Last edited by clipo on Sun Jul 17, 2022 4:32 pm, edited 1 time in total.
clipo
Posts: 101
Joined: Sat Sep 06, 2008 9:55 am
Location: Manchester, UK
Contact:

Re: Fail2Ban Regex

Post by clipo »

Starting with 1.36.20 the above Regex will no longer work due to the DATETIME_FORMAT_PATTERN including time zone information and not following the previous pattern as used by ZM

To resolve this enter the following into the Options / System / DATETIME_FORMAT_PATTERN

yyyy/MM/dd HH:mm:ss

And then used the slightly simplified Regex below that has the datepattern removed to allow the Fail2ban built in datepatterns to work.

Code: Select all

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures from /var/log/zm/web_php.log error log
enabled = true
port    = http,https
logpath = /var/log/zm/web_php.log
# Below is the Regex filer that would normally live within the filter.d zoneminder.conf file
filter =
failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\].*includes/auth.php
l
NotSoWittyName
Posts: 22
Joined: Sun Nov 13, 2022 5:45 pm

Re: Fail2Ban Regex

Post by NotSoWittyName »

Thanks for this. Just to confirm this is still working with 1.36.31.
clipo
Posts: 101
Joined: Sat Sep 06, 2008 9:55 am
Location: Manchester, UK
Contact:

Re: Fail2Ban Regex

Post by clipo »

Can anyone confirm that

web_php.log

is the only file that ZM writes access errors too.
Post Reply