Fail2Ban: login_log filter webmaild

Bouke · Dec 26, 2017

Hello,

I would like to use a Fail2Ban filter for the cPanel login_log (/usr/local/cpanel/logs).
Unfortunately I am not experienced with these filters. I can't figure out a working regex for webmaild.

I would like to filter rules like these:

[2017-12-26 20:59:45 +0100] info [webmaild] 123.123.123.123 - test2@domain.com "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password hash is missing from system (user probably does not exist)

[2017-12-26 21:00:59 +0100] info [webmaild] 123.123.123.123 - test1@domain.com "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect

I am not sure how to write the required failregex lines. I am hoping some could kindly help me, please.

rpvw · Dec 26, 2017

You might like to consider CSF/LFD that has a built in rule for login failure detection of cpanel, webmail and whm connections.

More details at : How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation

cPanelMichael · Dec 27, 2017

Hello,

I concur with @rpvw. CSF is likely the best approach if you'd like to avoid writing custom rules.

Thank you.

Bouke · Dec 29, 2017

rpvw said: ↑

You might like to consider CSF/LFD that has a built in rule for login failure detection of cpanel, webmail and whm connections.
Click to expand...

Many thanks as this is very helpful. I am surprised that CSF works out of the box (although I have changed some things).

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Fail2Ban: login_log filter webmaild

Bouke Registered

rpvw Well-Known Member

cPanelMichael Forums Analyst
Staff Member

Bouke Registered

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Fail2Ban: login_log filter webmaild

Bouke Registered

rpvw Well-Known Member

cPanelMichael Forums Analyst Staff Member

Bouke Registered

Share This Page

cPanelMichael Forums Analyst
Staff Member