fail2ban/config/filter.d/zoneminder.conf

# Fail2Ban filter for Zoneminder login failures

[INCLUDES]
before = apache-common.conf

[Definition]

# patterns:
	# [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/
	# [Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/
	# [Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/

# Option:  failregex
# Notes.:  regex to match the login failure and non-existent user error messages in the logfile.

failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
			^%(_apache_error_client)s ERR \[Login denied for user "[^"]*"\]
			^%(_apache_error_client)s ERR \[Could not retrieve user \w* details\]

ignoreregex =

# Notes:
#	Tested on Zoneminder 1.29 and 1.35.21
#
#	Zoneminer versions > 1.3x use "ERR" and < 1.3x use "WAR" level logs, so i've kept both for compatibility reasons
#
# Author: John Marzella
added zoneminder.conf filter 2016-03-29 10:31:26 +00:00			`# Fail2Ban filter for Zoneminder login failures`
small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include 2017-09-04 09:48:01 +00:00
			`[INCLUDES]`
			`before = apache-common.conf`
added zoneminder.conf filter 2016-03-29 10:31:26 +00:00
			`[Definition]`

Updated zoneminder filter Support new log format, ERR instead of WAR. Add detection of non-existent user login attempts 2021-03-28 10:19:10 +00:00			`# patterns:`
			`# [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/`
			`# [Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/`
			`# [Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/`

added zoneminder.conf filter 2016-03-29 10:31:26 +00:00			`# Option: failregex`
Updated zoneminder filter Support new log format, ERR instead of WAR. Add detection of non-existent user login attempts 2021-03-28 10:19:10 +00:00			`# Notes.: regex to match the login failure and non-existent user error messages in the logfile.`
added zoneminder.conf filter 2016-03-29 10:31:26 +00:00
small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include 2017-09-04 09:48:01 +00:00			`failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]`
Updated zoneminder filter Support new log format, ERR instead of WAR. Add detection of non-existent user login attempts 2021-03-28 10:19:10 +00:00			`^%(_apache_error_client)s ERR \[Login denied for user "[^"]*"\]`
			`^%(_apache_error_client)s ERR \[Could not retrieve user \w* details\]`
added zoneminder.conf filter 2016-03-29 10:31:26 +00:00
			`ignoreregex =`

			`# Notes:`
Updated zoneminder filter Support new log format, ERR instead of WAR. Add detection of non-existent user login attempts 2021-03-28 10:19:10 +00:00			`# Tested on Zoneminder 1.29 and 1.35.21`
			`#`
			`# Zoneminer versions > 1.3x use "ERR" and < 1.3x use "WAR" level logs, so i've kept both for compatibility reasons`
added zoneminder.conf filter 2016-03-29 10:31:26 +00:00			`#`
			`# Author: John Marzella`