# Fail2Ban filter for Zoneminder login failures [INCLUDES] before = apache-common.conf [Definition] # patterns: [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/ # [Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/ # [Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/ # # Option: failregex # Notes.: regex to match the login failure and non-existent user error messages in the logfile. failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\] ^%(_apache_error_client)s ERR \[Login denied for user "[^"]*"\] ^%(_apache_error_client)s ERR \[Could not retrieve user \w* details\] ignoreregex = # Notes: # Tested on Zoneminder 1.29 and 1.35.21 # # Zoneminder versions > 1.3x use "ERR" and < 1.3x use "WAR" level logs, so i've kept both for compatibility reasons # # Author: John Marzella