From 18ba714f97ed6b7ac49c15290683fb4b8eafea5f Mon Sep 17 00:00:00 2001
From: CPbN <40244829+CPbN@users.noreply.github.com>
Date: Wed, 23 Oct 2019 09:14:26 +0200
Subject: [PATCH 1/2] Add Centreon jail

---
 config/filter.d/centreon.conf      | 9 +++++++++
 config/jail.conf                   | 3 +++
 fail2ban/tests/files/logs/centreon | 4 ++++
 3 files changed, 16 insertions(+)
 create mode 100644 config/filter.d/centreon.conf
 create mode 100644 fail2ban/tests/files/logs/centreon

diff --git a/config/filter.d/centreon.conf b/config/filter.d/centreon.conf
new file mode 100644
index 00000000..68460363
--- /dev/null
+++ b/config/filter.d/centreon.conf
@@ -0,0 +1,9 @@
+# Fail2Ban filter for Centreon Web
+# Detecting unauthorized access to the Centreon Web portal
+# typically logged in /var/log/centreon/login.log
+
+[Init]
+datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
+
+[Definition]
+failregex = ^\[0-9-]*\|[0-9-]*\|\[0-9-]*|\[[^]]*\] \[<HOST>\] Authentication failed for '.+' :
diff --git a/config/jail.conf b/config/jail.conf
index dcb9a7fc..71535411 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -820,6 +820,9 @@ udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010
 action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
            %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
 
+[centreon]
+logpath = /var/log/centreon/login.log
+
 # consider low maxretry and a long bantime
 # nobody except your own Nagios server should ever probe nrpe
 [nagios]
diff --git a/fail2ban/tests/files/logs/centreon b/fail2ban/tests/files/logs/centreon
new file mode 100644
index 00000000..fc6fe4fe
--- /dev/null
+++ b/fail2ban/tests/files/logs/centreon
@@ -0,0 +1,4 @@
+# Access of unauthorized host in /var/log/centreon/login.log
+# failJSON: { "time": "2019-10-21T18:55:15", "match": true , "host": "50.97.225.132" }
+2019-10-21 18:55:15|-1|0|0|[WEB] [50.97.225.132] Authentication failed for 'admin' : password mismatch
+

From 9e699646f8b901973ff5c6725deca4a7d9bd97e7 Mon Sep 17 00:00:00 2001
From: CPbN <40244829+CPbN@users.noreply.github.com>
Date: Thu, 24 Oct 2019 14:37:18 +0200
Subject: [PATCH 2/2] Add Centreon jail

---
 config/filter.d/centreon.conf | 2 +-
 config/jail.conf              | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/centreon.conf b/config/filter.d/centreon.conf
index 68460363..fd3c8482 100644
--- a/config/filter.d/centreon.conf
+++ b/config/filter.d/centreon.conf
@@ -6,4 +6,4 @@
 datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
 
 [Definition]
-failregex = ^\[0-9-]*\|[0-9-]*\|\[0-9-]*|\[[^]]*\] \[<HOST>\] Authentication failed for '.+' :
+failregex = ^(?:\|-?\d+){3}\|\[[^\]]*\] \[<HOST>\] Authentication failed for '<F-USER>[^']+</F-USER>'
diff --git a/config/jail.conf b/config/jail.conf
index 71535411..8027f4d0 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -821,6 +821,7 @@ action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp
            %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
 
 [centreon]
+port    = http,https
 logpath = /var/log/centreon/login.log
 
 # consider low maxretry and a long bantime