crazy-max/docker-fail2ban

New Zoneminder filter not working

johnnny1337 opened this issue · 1 comments

johnnny1337 commented

Hi,

I am trying to use a new filter for Zoneminder and have done it like this:

[zoneminder]
enabled = true
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
# Modified for php based logins
port = http,https,30001,30002,30003,30004,30005,30006,30007,30008,30009,30010,30011,30012,30013,30014,30015,30016,30017,30018,30019
logpath = /var/log/zm/web_php.log
#%(apache_error_log)s
filter =
failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[(?:Could not retrieve user|Login denied for user) \S+
datepattern = ^%%m/%%d/%%y %%H:%%M:%%S(?:\.%%f)

When I test the filter I get this:

docker exec -t fail2ban fail2ban-regex -v /var/log/zm/web_php.log                                                                                                                                                              zoneminder --print-all-matched

Running tests
=============

Use   failregex filter file : zoneminder, basedir: /etc/fail2ban
Use      datepattern : ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
Use         log file : /var/log/zm/web_php.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total
|-  #) [# of hits] regular expression
|   1) [0] ^\s*web_php\[\d+\]\.ERR\[<HOST>\] \[(?:Could not retrieve user|Login                                                                                                                                                              denied for user) \S+
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [3749] ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
`-

Lines: 3749 lines, 0 ignored, 0 matched, 3749 missed
[processed in 0.19 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 3749 lines

And when running this it seems to work:

docker exec -t fail2ban fail2ban-regex -vv -d '^%m/%d/%y %H:%M:%S(?:\.%f)'   '02/26/20 11:00:10.720338 web_php[1698].ERR [192.168.0.100] [Could not retrieve user testuser details] at includes/auth.php line 278'   '^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[(?:Could not retrieve user|Login denied for user) \S+'

Running tests
=============

Use      datepattern : ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
Use   failregex line : ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[(?:Could not ...
Use      single line : 02/26/20 11:00:10.720338 web_php[1698].ERR [192.16...


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^\s*web_php\[\d+\]\.ERR \[<HOST>\] \[(?:Could not retrieve user|Login denied for user) \S+
|      192.168.0.100  Wed Feb 26 11:00:10 2020
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] ^Month/Day/Year2 24hour:Minute:Second(?:\.Microseconds)
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

It seems to work for others not running in docker, see here:
fail2ban/fail2ban#2643

Am I missing something obvious?

Thank you!

crazy-max commented

@jonrub I need a proper bug report to help you. Thanks.