diff --git a/misc/fail2ban.rules b/misc/fail2ban.rules index c1d5115fd..d2b4b3915 100644 --- a/misc/fail2ban.rules +++ b/misc/fail2ban.rules @@ -1,2 +1,63 @@ -failregex = ^\s*web_php\[\d+\]\.ERR \[\].*includes/auth.php -datepattern = ^%%m/%%d/%%y %%H:%%M:%%S(?:\.%%f) +####### Update / Add the below to the /fail2ban/jail.local ######## + +#[zoneminder] +## Commented out as outdated version +## Zoneminder <1.35 HTTP/HTTPS web interface auth +## Logs auth failures to apache2 error log +#enabled = false +#port = http,https +#logpath = %(apache_error_log)s + +[zoneminder] +# Zoneminder >1.35 HTTP/HTTPS web interface auth +# Logs auth failures to Zoneminder web_php.log and apache error log +# See notes in filter.d/zoneminder.conf +enabled = false +port = http,https +logpath = /var/log/zm/web_php.log + + + +######## Update / Add the below to the /fail2ban/filter.d/zoneminder.conf ######### +# Fail2Ban filter for Zoneminder login failures + +#Use the following command for testing - Ubuntu +#sudo fail2ban-regex -v /var/log/zm/web_php.log /etc/fail2ban/filter.d/zoneminder.conf + +# Example pattern ZM < 1.34 +#pattern=[Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php + +# Example pattern ZM > 1.34 = Default pattern with no additional settings with in ZM Options Tab +#pattern=7/17/22, 3:01:06 PM GMT+1.104844 web_php[281296].ERR [192.168.0.3] [Could not retrieve user test details] at /usr/share/zoneminder/www/includes/auth.php line 312 + +# Example pattern ZM > 1.34 with ZM Options Tab setting DATETIME_FORMAT_PATTERN = yyyy/MM/dd HH:mm:ss +#pattern=2022/08/18 18:26:02.873802 web_php[918957].ERR [192.168.0.181] [Could not retrieve user test details] at /usr/share/zoneminder/www/includes/auth.php line 312 + + +[INCLUDES] +before = apache-common.conf + +[Definition] + +# Option: failregex + +#Uncomment the below regex for use with ZM < 1.34 +#failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\] + +#Uncomment the below regex for use with ZM > 1.34 +failregex = ^\s*web_php\[\d+\]\.ERR \[\] \[(?:Could not retrieve user|Login denied for user) \S+ + +#Dateformate patterns : + +#NOTE: ZM Version > 1.34 to use the Fail2Ban standard inbuilt datepattern regex set the DATETIME_FORMAT_PATTERN to yyyy/MM/dd HH:mm:ss within Zoneminder Options Tab + +#Experimental alternative dateformate patterns are +#datepattern = ^%%m/%%d/%%y %%H:%%M:%%S(?:\.%%f) + +ignoreregex = + +# Notes: +# Set the DATETIME_FORMAT_PATTERN to yyyy/MM/dd HH:mm:ss within Zoneminder Options Tab +# +# Author: Clipo +#