Fail2Ban: login_log filter webmaild

Bouke

Registered
Dec 26, 2017
4
1
3
The Netherlands
cPanel Access Level
Root Administrator
Hello,

I would like to use a Fail2Ban filter for the cPanel login_log (/usr/local/cpanel/logs).
Unfortunately I am not experienced with these filters. I can't figure out a working regex for webmaild.

I would like to filter rules like these:

[2017-12-26 20:59:45 +0100] info [webmaild] 123.123.123.123 - [email protected] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password hash is missing from system (user probably does not exist)

[2017-12-26 21:00:59 +0100] info [webmaild] 123.123.123.123 - [email protected] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect

I am not sure how to write the required failregex lines. I am hoping some could kindly help me, please.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
  • Like
Reactions: cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello,

I concur with @rpvw. CSF is likely the best approach if you'd like to avoid writing custom rules.

Thank you.
 
Thread starter Similar threads Forum Replies Date
verdon Security 2
M Security 1
M Security 3
B Security 2
M Security 3