And here's the final code if anyone wants to do the same:
~ispconfig/interface/lib/plugins/login_fail2ban_plugin.inc.php
PHP Code:
class login_fail2ban_plugin {
var $plugin_name = 'login_fail2ban_plugin';
var $class_name = 'login_fail2ban_plugin';
/*
This function is called when the plugin is loaded
*/
function onLoad() {
global $app;
/*
Register for the events
*/
$app->plugin->registerEvent('login_failed',$this->plugin_name,'log_fail');
}
function log_fail($event_name,$data) {
openlog("ispconfig", LOG_PID | LOG_PERROR, LOG_LOCAL0);
syslog(LOG_WARNING, "Login failed for user ".$_POST['username']." on IP ".$_SERVER['REMOTE_ADDR']);
}
} // end class
/etc/rsyslog.d/12-ispconfig.conf
Code:
if $programname == 'ispconfig' then /var/log/ispconfig.log
restart rsyslog
Code:
service rsyslog restart
/etc/fail2ban/filter.d/ispconfig.conf
Code:
[Definition]
failregex = (.*) Login failed for user (.*) on IP <HOST>
ignoreregex =
test it
Code:
fail2ban-regex /var/log/ispconfig.log /etc/fail2ban/filter.d/ispconfig.conf
and add a jail to your /etc/fail2ban/jail.conf:
Code:
[ispconfig]
enabled = true
port = http,https
filter = ispconfig
logpath = /var/log/ispconfig.log
restart fail2ban
Code:
service fail2ban restart
and be happy
