Using Fail2ban To Block Wrong ISPConfig Logins

First of all: if you're not paranoid, you don't need this. ISPConfig does a fine job to block any user logins that fail more than five times a minute.

On the other hand, you MIGHT want to be able to fine-tune this a bit.

In this tutorial, we'll write an ISPConfig plugin to log failed logins to syslog, filter those entries using rsyslogd and add a fail2ban rule to block malicious users' IPs.

Again: we would not need this part, either. If you set ISPConfig's Loglevel to DEBUG, failed logins would be logged anyways. But we don't want all that other clutter, do we?

So we need a plugin to log failed logins to syslog first:

~ispconfig/interface/lib/plugins/login_fail2ban_plugin.inc.php

class login_fail2ban_plugin { 
        var $plugin_name = 'login_fail2ban_plugin'; 
        var $class_name  = 'login_fail2ban_plugin'; 

        function onLoad() { 
                global $app; 
                $app->plugin->registerEvent('login_failed',$this->plugin_name,'log_fail'); 
        } 

        function log_fail($event_name,$data) { 
                openlog("ispconfig", LOG_PID | LOG_PERROR, LOG_LOCAL0); 
                syslog(LOG_WARNING, "Login failed for user ".$_POST['username']." on IP ".$_SERVER['REMOTE_ADDR']); 
        } 

}

ISPConfig has a strange way to cache it's plugins so you might want to clear your browser cache for your domain now.

Now, we don't want that in /var/log/syslog. If your server is crowded, there will be massive logging there and fail2ban doesn't need to filter all that crap.

Let's use rsyslogd for that:

/etc/rsyslog.d/12-ispconfig.conf

if $programname == 'ispconfig' then /var/log/ispconfig.log

Now restart rsyslog
 

service rsyslog restart

Create a fail2ban filter rule:

/etc/fail2ban/filter.d/ispconfig.conf

[Definition]
failregex = (.*) Login failed for user (.*) on IP <HOST>
ignoreregex =

Test it (you should try to log in with a false username/password for this to show anything).

fail2ban-regex /var/log/ispconfig.log /etc/fail2ban/filter.d/ispconfig.conf

and add a jail to your /etc/fail2ban/jail.conf:

[ispconfig]
enabled  = true
port     = http,https
filter   = ispconfig
logpath  = /var/log/ispconfig.log

Restart fail2ban and you're done.

service fail2ban restart

Have fun!

Share this page:

5 Comment(s)