Using Fail2ban To Block Wrong ISPConfig Logins

First of all: if you're not paranoid, you don't need this. ISPConfig does a fine job to block any user logins that fail more than five times a minute.

On the other hand, you MIGHT want to be able to fine-tune this a bit.

In this tutorial, we'll write an ISPConfig plugin to log failed logins to syslog, filter those entries using rsyslogd and add a fail2ban rule to block malicious users' IPs.

Again: we would not need this part, either. If you set ISPConfig's Loglevel to DEBUG, failed logins would be logged anyways. But we don't want all that other clutter, do we?

So we need a plugin to log failed logins to syslog first:

~ispconfig/interface/lib/plugins/login_fail2ban_plugin.inc.php

class login_fail2ban_plugin { 
        var $plugin_name = 'login_fail2ban_plugin'; 
        var $class_name  = 'login_fail2ban_plugin'; 

        function onLoad() { 
                global $app; 
                $app->plugin->registerEvent('login_failed',$this->plugin_name,'log_fail'); 
        } 

        function log_fail($event_name,$data) { 
                openlog("ispconfig", LOG_PID | LOG_PERROR, LOG_LOCAL0); 
                syslog(LOG_WARNING, "Login failed for user ".$_POST['username']." on IP ".$_SERVER['REMOTE_ADDR']); 
        } 

}

ISPConfig has a strange way to cache it's plugins so you might want to clear your browser cache for your domain now.

Now, we don't want that in /var/log/syslog. If your server is crowded, there will be massive logging there and fail2ban doesn't need to filter all that crap.

Let's use rsyslogd for that:

/etc/rsyslog.d/12-ispconfig.conf

if $programname == 'ispconfig' then /var/log/ispconfig.log

Now restart rsyslog

service rsyslog restart

Create a fail2ban filter rule:

/etc/fail2ban/filter.d/ispconfig.conf

[Definition]
failregex = (.*) Login failed for user (.*) on IP <HOST>
ignoreregex =

Test it (you should try to log in with a false username/password for this to show anything).

fail2ban-regex /var/log/ispconfig.log /etc/fail2ban/filter.d/ispconfig.conf

and add a jail to your /etc/fail2ban/jail.conf:

[ispconfig]
enabled  = true
port     = http,https
filter   = ispconfig
logpath  = /var/log/ispconfig.log

Restart fail2ban and you're done.

service fail2ban restart

Have fun!

5 Comment(s)

Add comment

Comments

By: Dirk67

there are missing the php open- and close -tags "<?php" ... "?>"at the beginning and end of the ispconfig-plugin sourcecode above.

may be it is better to add the jail to
"/etc/fail2ban/jail.local"
instead of adding it to
"/etc/fail2ban/jail.conf"

in the jail the
port should be 8080 for blocking ispconfig access.

in the jail
one should add a
"maxretry = 5"
directive if not defined globally...

By: Anonymous

is not working.

/var/log/ispconfig.log is empty if i try user/pass wrong.

By: Anonymous

Thank you for adding the corrections, it is working like a charm.

By: agentmoller001

I updated the above to make it function properly as of September 18, 2015 for ISPConfig 3.0.5.4p8. You can find the directions here: Configure Fail2Ban for ISPConfig 3 Failed Login Attempts

By: bepixeld

I think since ISPConfig 3.1 you don't need the plugin anymore.Login attempts are logged in /var/log/ispconfig/auth.log.My loglevel in ISPConfig is ERROR. See ISPConfig interface/web/login/index.phpAbout line 310.

So you can dierctly create a filter rule in /etc/fail2ban/filter.d/ispconfig.conf with content:[Definition]failregex = ^Failed login for user (.*) from <HOST> atignoreregex =

And add a jail to /etc/fail2ban/jail.local:[ispconfig]enabled = truemaxretry = 5port = 8080logpath = /var/log/ispconfig/auth.log

Test it with:fail2ban-regex /var/log/ispconfig/auth.log /etc/fail2ban/filter.d/ispconfig.conf

And restart fail2ban serviceI have tested that with ISPConfig 3.1.9

Log in or Sign up

On this page