From a90f6c4ae817873c2e3090a0dd24c457636b2e6e Mon Sep 17 00:00:00 2001 From: john Date: Tue, 29 Mar 2016 21:25:25 +1100 Subject: [PATCH 01/10] added zoneminder jail and filter # Conflicts: # config/jail.conf --- config/jail.conf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index cf652fe2..870d7f43 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -866,3 +866,14 @@ port = http,https filter = phpmyadmin-syslog logpath = %(syslog_authpriv)s backend = %(syslog_backend)s + + +[zoneminder] +# Zoneminder HTTP/HTTPS web interface auth +# Logs auth failures to apache2 error log +enabled = false +port = http,https +filter = zoneminder +logpath = /var/log/apache*/*error.log +maxretry = 3 + From 08878d22dda512b2d01d0649a1cf0e86023d9b2d Mon Sep 17 00:00:00 2001 From: john Date: Tue, 29 Mar 2016 21:31:26 +1100 Subject: [PATCH 02/10] added zoneminder.conf filter --- config/filter.d/zoneminder.conf | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 config/filter.d/zoneminder.conf diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf new file mode 100644 index 00000000..00da76d9 --- /dev/null +++ b/config/filter.d/zoneminder.conf @@ -0,0 +1,23 @@ +# Fail2Ban filter for Zoneminder login failures +# + +[Definition] + +# patern : [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/ +# +# +# Option: failregex +# Notes.: regex to match the password failure messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) + + +failregex = [[]client :\d\d\d\d\d] WAR [[]Login denied for user + +ignoreregex = + +# Notes: +# Tested on Zoneminder 1.29.0 +# +# Author: John Marzella From 44c4496e49a0a37995ba452e52f42f957c2422dc Mon Sep 17 00:00:00 2001 From: john Date: Tue, 29 Mar 2016 21:43:36 +1100 Subject: [PATCH 03/10] added sample log files --- fail2ban/tests/files/logs/zoneminder | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 fail2ban/tests/files/logs/zoneminder diff --git a/fail2ban/tests/files/logs/zoneminder b/fail2ban/tests/files/logs/zoneminder new file mode 100644 index 00000000..c27a0c7b --- /dev/null +++ b/fail2ban/tests/files/logs/zoneminder @@ -0,0 +1,6 @@ +[Mon Mar 28 10:51:24.201977 2016] [:error] [pid 29646] [client 10.1.1.2:46454] INF [Login successful for user "gooduser1"] +[Mon Mar 28 16:50:45.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/ +[Mon Mar 28 16:50:46.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/ +[Mon Mar 28 16:50:47.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/ +[Mon Mar 28 16:50:48.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/ +[Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/ From 4d8ba7b668de0e3cbf82c7986d60fc6dcfa70d90 Mon Sep 17 00:00:00 2001 From: john Date: Wed, 30 Mar 2016 15:36:48 +1100 Subject: [PATCH 04/10] fixed test log file --- fail2ban/tests/files/logs/zoneminder | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/fail2ban/tests/files/logs/zoneminder b/fail2ban/tests/files/logs/zoneminder index c27a0c7b..63d8bbd4 100644 --- a/fail2ban/tests/files/logs/zoneminder +++ b/fail2ban/tests/files/logs/zoneminder @@ -1,6 +1,2 @@ -[Mon Mar 28 10:51:24.201977 2016] [:error] [pid 29646] [client 10.1.1.2:46454] INF [Login successful for user "gooduser1"] -[Mon Mar 28 16:50:45.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/ -[Mon Mar 28 16:50:46.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/ -[Mon Mar 28 16:50:47.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/ -[Mon Mar 28 16:50:48.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/ -[Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/ +# failJSON { "time": "2016-03-28T16:50:49", "match": true , "host": "10.1.1.1" } +[Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/ From 776d463e9299283318e53145eceded5256bc2703 Mon Sep 17 00:00:00 2001 From: john Date: Wed, 30 Mar 2016 15:46:37 +1100 Subject: [PATCH 05/10] added missing colon to failJSON --- fail2ban/tests/files/logs/zoneminder | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/zoneminder b/fail2ban/tests/files/logs/zoneminder index 63d8bbd4..abd49869 100644 --- a/fail2ban/tests/files/logs/zoneminder +++ b/fail2ban/tests/files/logs/zoneminder @@ -1,2 +1,2 @@ -# failJSON { "time": "2016-03-28T16:50:49", "match": true , "host": "10.1.1.1" } +# failJSON: { "time": "2016-03-28T16:50:49", "match": true , "host": "10.1.1.1" } [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/ From 3d45fd2713b32c423d1f499fb5509f6be9c10a0b Mon Sep 17 00:00:00 2001 From: john Date: Fri, 1 Apr 2016 22:16:30 +1100 Subject: [PATCH 06/10] implemented yarikoptic's suggestions in fail2ban pull request #1376 --- config/filter.d/zoneminder.conf | 4 ++-- config/jail.conf | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf index 00da76d9..83b1463a 100644 --- a/config/filter.d/zoneminder.conf +++ b/config/filter.d/zoneminder.conf @@ -3,7 +3,7 @@ [Definition] -# patern : [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/ +# pattern: [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/ # # # Option: failregex @@ -13,7 +13,7 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) -failregex = [[]client :\d\d\d\d\d] WAR [[]Login denied for user +failregex = ^[[]client :\d\d\d\d\d] WAR [[]Login denied for user \S*], referer: \S*$ ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 870d7f43..83a41c51 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -873,7 +873,6 @@ backend = %(syslog_backend)s # Logs auth failures to apache2 error log enabled = false port = http,https -filter = zoneminder -logpath = /var/log/apache*/*error.log +logpath = %(apache_error_log)s maxretry = 3 From 5c3a666380d8591976b757c53a17c374d17f30dd Mon Sep 17 00:00:00 2001 From: john Date: Fri, 1 Apr 2016 22:30:41 +1100 Subject: [PATCH 07/10] fixed incomplete regex after adding anchors --- config/filter.d/zoneminder.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf index 83b1463a..c804626e 100644 --- a/config/filter.d/zoneminder.conf +++ b/config/filter.d/zoneminder.conf @@ -13,7 +13,7 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) -failregex = ^[[]client :\d\d\d\d\d] WAR [[]Login denied for user \S*], referer: \S*$ +failregex = ^.*? [[]client :\d\d\d\d\d] WAR [[]Login denied for user \S*], referer: \S*$ ignoreregex = From 7013729a1f86de4f38da5297cfb5eae2c4b4abf3 Mon Sep 17 00:00:00 2001 From: john Date: Thu, 28 Apr 2016 14:19:29 +1000 Subject: [PATCH 08/10] removed redundant options for zoneminder from jail.conf --- config/jail.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/jail.conf b/config/jail.conf index 83a41c51..29ad4c96 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -871,8 +871,6 @@ backend = %(syslog_backend)s [zoneminder] # Zoneminder HTTP/HTTPS web interface auth # Logs auth failures to apache2 error log -enabled = false port = http,https logpath = %(apache_error_log)s -maxretry = 3 From ac95449bbb9c46e879b33540885e7d77ecd01814 Mon Sep 17 00:00:00 2001 From: john Date: Sat, 30 Apr 2016 15:26:36 +1000 Subject: [PATCH 09/10] changed zoneminder regex as per Sebres and yarikoptic recommendations --- config/filter.d/zoneminder.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf index c804626e..aa3b4e6d 100644 --- a/config/filter.d/zoneminder.conf +++ b/config/filter.d/zoneminder.conf @@ -3,7 +3,7 @@ [Definition] -# pattern: [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/ +# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php # # # Option: failregex @@ -13,7 +13,7 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) -failregex = ^.*? [[]client :\d\d\d\d\d] WAR [[]Login denied for user \S*], referer: \S*$ +failregex = ^\[\](?: \[:error\])?(?: \[pid \d+\])? \[client :\d+\] WAR \[Login denied for user "[^"]*"\] ignoreregex = From 4163f329688e89c3d551423a0e3d9be02adb9897 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 4 Sep 2017 11:48:01 +0200 Subject: [PATCH 10/10] small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include --- config/filter.d/zoneminder.conf | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf index aa3b4e6d..cc82755a 100644 --- a/config/filter.d/zoneminder.conf +++ b/config/filter.d/zoneminder.conf @@ -1,5 +1,7 @@ # Fail2Ban filter for Zoneminder login failures -# + +[INCLUDES] +before = apache-common.conf [Definition] @@ -7,13 +9,9 @@ # # # Option: failregex -# Notes.: regex to match the password failure messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Notes.: regex to match the password failure messages in the logfile. - -failregex = ^\[\](?: \[:error\])?(?: \[pid \d+\])? \[client :\d+\] WAR \[Login denied for user "[^"]*"\] +failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\] ignoreregex =