Using Fail2ban To Block Wrong ISPConfig Logins

Want to support HowtoForge? Become a subscriber!
 
Submitted by phry (Contact Author) (Forums) on Wed, 2012-09-12 15:40. :: ISPConfig | Linux | Control Panels | Security

Using Fail2ban To Block Wrong ISPConfig Logins

First of all: if you're not paranoid, you don't need this. ISPConfig does a fine job to block any user logins that fail more than five times a minute.

On the other hand, you MIGHT want to be able to fine-tune this a bit.

In this tutorial, we'll write an ISPConfig plugin to log failed logins to syslog, filter those entries using rsyslogd and add a fail2ban rule to block malicious users' IPs.

Again: we would not need this part, either. If you set ISPConfig's Loglevel to DEBUG, failed logins would be logged anyways. But we don't want all that other clutter, do we?

So we need a plugin to log failed logins to syslog first:

~ispconfig/interface/lib/plugins/login_fail2ban_plugin.inc.php

class login_fail2ban_plugin { 
        var $plugin_name = 'login_fail2ban_plugin'; 
        var $class_name  = 'login_fail2ban_plugin'; 

        function onLoad() { 
                global $app; 
                $app->plugin->registerEvent('login_failed',$this->plugin_name,'log_fail'); 
        } 

        function log_fail($event_name,$data) { 
                openlog("ispconfig", LOG_PID | LOG_PERROR, LOG_LOCAL0); 
                syslog(LOG_WARNING, "Login failed for user ".$_POST['username']." on IP ".$_SERVER['REMOTE_ADDR']); 
        } 

}

ISPConfig has a strange way to cache it's plugins so you might want to clear your browser cache for your domain now.

Now, we don't want that in /var/log/syslog. If your server is crowded, there will be massive logging there and fail2ban doesn't need to filter all that crap.

Let's use rsyslogd for that:

/etc/rsyslog.d/12-ispconfig.conf

if $programname == 'ispconfig' then /var/log/ispconfig.log

Now restart rsyslog
 

service rsyslog restart

Create a fail2ban filter rule:

/etc/fail2ban/filter.d/ispconfig.conf

[Definition]
failregex = (.*) Login failed for user (.*) on IP <HOST>
ignoreregex =

Test it (you should try to log in with a false username/password for this to show anything).

fail2ban-regex /var/log/ispconfig.log /etc/fail2ban/filter.d/ispconfig.conf

and add a jail to your /etc/fail2ban/jail.conf:

[ispconfig]
enabled  = true
port     = http,https
filter   = ispconfig
logpath  = /var/log/ispconfig.log

Restart fail2ban and you're done.

service fail2ban restart

Have fun!


[Creative Commons Attribution-NonCommercial-ShareAlike 2.0 License]
This page is licensed under a Creative Commons License.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
there are missing the php
Submitted by Dirk67 (not registered) on Wed, 2013-02-20 19:53.

there are missing the php open- and close -tags "<?php" ... "?>"at the beginning and end of the ispconfig-plugin sourcecode above.

may be it is better to add the jail to
"/etc/fail2ban/jail.local"
instead of adding it to
"/etc/fail2ban/jail.conf"

in the jail the
port should be 8080 for blocking ispconfig access.

in the jail
one should add a
"maxretry = 5"
directive if not defined globally...

 

reply | view as pdf view as pdf
Re: there are missing the php
Submitted by Anonymous (not registered) on Tue, 2013-03-26 16:36.

is not working.

/var/log/ispconfig.log is empty if i try user/pass wrong.

reply | view as pdf view as pdf