Hi, with the release of 7.10 I noticed that it’s now possible to monitor the suitecrm.log file for failed login attempts with fail2ban, and to ban IP addresses.
Now I try to set up a filter for it in /etc/fail2ban/filter.d/ but am not able to figure out how the regex string should look like to do that.
Can anybody help me out here?
I created the filter suite-crm.conf which looks like this.
Have you tried simply “FAILED LOGIN”? That should match, and don’t think anything else is needed. Fail2ban already counts the number of times each message is allowed, so you can configure how many failed attempt will trigger the ban directly in Fail2Ban config file.
I have, but it does not work. As far as I understand it does the regex string need to at least get the IP address.
When I test the filter with fail2ban-regex I get following error Message:
root@localhost:/var/www/html/# fail2ban-regex suitecrm.log /etc/fail2ban/filter.d/suite-crm.conf
Running tests
=============
Use failregex filter file : suite-crm, basedir: /etc/fail2ban
Traceback (most recent call last):
File "/usr/bin/fail2ban-regex", line 549, in <module>
fail2banRegex.readRegex(cmd_regex, 'fail') or sys.exit(-1)
File "/usr/bin/fail2ban-regex", line 319, in readRegex
'add%sRegex' % regextype.title())(regex.getFailRegex())
File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 110, in addFailRegex
raise e
File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 102, in addFailRegex
regex = FailRegex(value)
File "/usr/lib/python3/dist-packages/fail2ban/server/failregex.py", line 215, in __init__
raise RegexException("No 'host' group in '%s'" % self._regex)
fail2ban.server.failregex.RegexException: No 'host' group in 'FAILED LOGIN:'
Your suggestion with just matchig ‘FAILED LOGIN.’
did not work out for me, fail2ban needs to be told where in the line the ip address is to be found
fail2ban-client[14185]: ERROR NOK: ("No ‘host’ group in 'FAILED LOGIN.’",)
But with the help of regex101 I did manage to stitch together an expression that works:
And now I get following in the fail2ban.log when I try to login with the wrong password 5x:
2018-10-31 19:52:06,981 fail2ban.filter [9982]: INFO [suite-crm] Found xxx.xxx.163.236
2018-10-31 19:52:11,226 fail2ban.filter [9982]: INFO [suite-crm] Found xxx.xxx.163.236
2018-10-31 19:52:17,174 fail2ban.filter [9982]: INFO [suite-crm] Found xxx.xxx.163.236
2018-10-31 19:52:20,835 fail2ban.filter [9982]: INFO [suite-crm] Found xxx.xxx.163.236
2018-10-31 19:52:24,265 fail2ban.filter [9982]: INFO [suite-crm] Found xxx.xxx.163.236
2018-10-31 19:52:25,307 fail2ban.actions [9982]: NOTICE [suite-crm] Ban xxx.xxx.163.236
btw, if someone experience this does not work on CentOS, remember that checking the audit.log.
Some SELinux adjustment required to permit Fail2Ban to use suitecrm.log in CentOS 7 or 8 depending on your preference. After that it really works and does the job.