Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Fail2Ban: login_log filter webmaild

Discussion in 'Security' started by Bouke, Dec 26, 2017.

  1. Bouke

    Bouke Registered

    Joined:
    Dec 26, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    Hello,

    I would like to use a Fail2Ban filter for the cPanel login_log (/usr/local/cpanel/logs).
    Unfortunately I am not experienced with these filters. I can't figure out a working regex for webmaild.

    I would like to filter rules like these:

    [2017-12-26 20:59:45 +0100] info [webmaild] 123.123.123.123 - test2@domain.com "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password hash is missing from system (user probably does not exist)

    [2017-12-26 21:00:59 +0100] info [webmaild] 123.123.123.123 - test1@domain.com "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect

    I am not sure how to write the required failregex lines. I am hoping some could kindly help me, please.
     
    #1 Bouke, Dec 26, 2017
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    822
    Likes Received:
    299
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 rpvw, Dec 26, 2017
    cPanelMichael likes this.
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,897
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I concur with @rpvw. CSF is likely the best approach if you'd like to avoid writing custom rules.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelMichael, Dec 27, 2017
  4. Bouke

    Bouke Registered

    Joined:
    Dec 26, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    Many thanks as this is very helpful. I am surprised that CSF works out of the box (although I have changed some things).
     
    #4 Bouke, Dec 29, 2017
(You must log in or sign up to post here.)
Loading...
Similar Threads - Fail2Ban login_log filter
  1. adamreece.webbox

    login_log: How users logged in (password, oauth, etc.)

    adamreece.webbox, Sep 5, 2018, in forum: Security
    Replies:
    1
    Views:
    102
    cPanelLauren
    Sep 5, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice