HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Developers' Forum (http://www.howtoforge.com/forums/forumdisplay.php?f=33)
-   -   Writing a simple plugin (fail2ban integration) (http://www.howtoforge.com/forums/showthread.php?t=58591)

phry 8th September 2012 17:41

Writing a simple plugin (fail2ban integration)
 
Heyo,
I wanted to log wrong logins into syslog so that fail2ban can parse it and ban the attacker's IP.
- Yes, I know, ISPConfig has a similar feature but I want to do this nonetheless.
- Yes, I know, ISPConfig logs wrong logins too, but only on DEBUG Level and I don't want the clutter. Neither do I want to change ispconfig files.

So I wrote a quick plugin:
/usr/local/ispconfig/server/plugins-available/login_fail2ban_plugin.inc.php
PHP Code:

<?php

class login_fail2ban_plugin {

        var 
$plugin_name 'login_fail2ban_plugin';
        var 
$class_name  'login_fail2ban_plugin';

        
//* This function is called during ispconfig installation to determine
        //  if a symlink shall be created for this plugin.
        
function onInstall() {

                return 
true;

        }


        
/*
                This function is called when the plugin is loaded
        */

        
function onLoad() {
                global 
$app;

                
/*
                Register for the events
                */
                
$app->plugins->registerEvent('login_failed',$this->plugin_name,'log_fail');
        }

        function 
log_failed($event_name,$data) {
        
openlog("ispconfig"LOG_PID LOG_PERRORLOG_LOCAL0);
        
syslog(LOG_WARNING"Login failed for user $_POST['username'] on IP $_SERVER['REMOTE_ADDR']");
        }




// end class

?>

and then I created a symlink in /usr/local/ispconfig/server/plugins-enabled
lrwxrwxrwx 1 ispconfig ispconfig 75 Sep 8 17:39 login_fail2ban_plugin.inc.php -> /usr/local/ispconfig/server/plugins-available/login_fail2ban_plugin.inc.php*

But here's the catch: it doesn't load. I tried writing stuff into the onLoad function, too - is doesn't execute.
Permissions and owner are set correctly, too:
-rwxr-x--- 1 ispconfig ispconfig 766 Sep 8 17:29 plugins-available/login_fail2ban_plugin.inc.php

Did I miss anything?

till 8th September 2012 18:44

You mix up the uspconfig server and the ispconfig interface. What you wrote above is a ispconfig server plugin, server plugins are used to configure services like apache, postfix etc. When you login to ispconfig, then you interact with the ispconfig interface and not the server, so if you want to react on failed logins, you will have tp write code for the interface and not the server. So your plugin can not work form a logical standpoint and it will never catch a interface event on the server.

If you want to log actions of the interface, take a look at the ispconfig svn to see how the login function that you want to replicate is implemented there.

phry 8th September 2012 19:42

Oh, so I plugged into the wrong backend xD

My attempt in itself (if it had been in the right place) should have been correct as login/index.php is raising the event:

PHP Code:

      182                         //* Incorrect login - Username and password incorrect
      
183                         $error $app->lng('error_user_password_incorrect');
      
184                         if($app->db->errorMessage != ''$error .= '<br />'.$app->db->errorMessage != '';
      
185
      186                         $app
->plugin->raiseEvent('login_failed',$this); 

Seems I just need another place to call my registerEvent.
I tried it in ~ispconfig/interface/lib/plugins - but that also seems to be a wrong choice.

Do you have any pointers for me?

till 9th September 2012 16:57

Quote:

My attempt in itself (if it had been in the right place) should have been correct as login/index.php is raising the event:
No, its not as the interface events are completely different from server events and what you wrote is a server plugin and not a interface plugin.

Interface plugins are written differntly and ue different functions any libraries for the events, take a look at the files in ispconfig/interface/lib/plugins/ to get an idea how they work.

phry 9th September 2012 17:05

Umh, sorry, but see
~ispconfig/interface/lib/plugins/mail_user_filter_plugin.inc.php (that IS the folder you're pointing to?)

PHP Code:

<?php
[...]
class 
mail_user_filter_plugin {

        var 
$plugin_name 'mail_user_filter_plugin';
        var 
$class_name 'mail_user_filter_plugin';

        
/*
                This function is called when the plugin is loaded
        */

        
function onLoad() {
                global 
$app;

                
/*
                Register for the events
                */

                
[...]
                
$app->plugin->registerEvent('mail:mail_user_filter:on_after_update','mail_user_filter_plugin','mail_user_filter_edit');
                [...]

        }

        function 
mail_user_filter_edit($event_name,$page_form) {
                global 
$app$conf;
            [...]
 
        }

    [...]
}

I might be suffering from tunnel vision but that is the same as I'm doing with the same syntax within (now) the same path?

phry 9th September 2012 19:57

Oh, FFS, got my error.

In server, it's $app->plugins->registerEvent
In interface, it's $app->plugin->registerEvent

And in case someone else wants to go on plugins: ispconfig stores your plugins in the session, onLoad will only be called once per session.
That's quite a useful piece of information - happy cookie deleting!

phry 9th September 2012 20:06

And here's the final code if anyone wants to do the same:

~ispconfig/interface/lib/plugins/login_fail2ban_plugin.inc.php
PHP Code:

class login_fail2ban_plugin {

        var 
$plugin_name 'login_fail2ban_plugin';
        var 
$class_name  'login_fail2ban_plugin';

        
/*
                This function is called when the plugin is loaded
        */

        
function onLoad() {
                global 
$app;
                
/*
                Register for the events
                */

                
$app->plugin->registerEvent('login_failed',$this->plugin_name,'log_fail');

        }

        function 
log_fail($event_name,$data) {
                
openlog("ispconfig"LOG_PID LOG_PERRORLOG_LOCAL0);
                
syslog(LOG_WARNING"Login failed for user ".$_POST['username']." on IP ".$_SERVER['REMOTE_ADDR']);
        }




// end class 

/etc/rsyslog.d/12-ispconfig.conf
Code:

if $programname == 'ispconfig' then /var/log/ispconfig.log
restart rsyslog
Code:

service rsyslog restart
/etc/fail2ban/filter.d/ispconfig.conf
Code:

[Definition]
failregex = (.*) Login failed for user (.*) on IP <HOST>
ignoreregex =


test it
Code:

fail2ban-regex /var/log/ispconfig.log /etc/fail2ban/filter.d/ispconfig.conf
and add a jail to your /etc/fail2ban/jail.conf:
Code:

[ispconfig]
enabled  = true
port    = http,https
filter  = ispconfig
logpath  = /var/log/ispconfig.log

restart fail2ban

Code:

service fail2ban restart
and be happy :)


All times are GMT +2. The time now is 20:40.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.