Fail2Ban Filter or correct Regex for it.

johnsmith0815 · 27 October 2018 23:09

Hi, with the release of 7.10 I noticed that it’s now possible to monitor the suitecrm.log file for failed login attempts with fail2ban, and to ban IP addresses.
Now I try to set up a filter for it in /etc/fail2ban/filter.d/ but am not able to figure out how the regex string should look like to do that.
Can anybody help me out here?
I created the filter suite-crm.conf which looks like this.


# Fail2Ban configuration file
[Definition]
failregex = _MISSING_EXPRESSION_
ignoreregex =

The line in suitecrm.log looks like this:


Wed Oct 27 19:42:15 2018 [31485][-none-][FATAL] FAILED LOGIN:attempts[1], ip[xxx.xxx.xxx.xxx], username[admin]

Thanks

pgr · 28 October 2018 18:54

Have you tried simply “FAILED LOGIN”? That should match, and don’t think anything else is needed. Fail2ban already counts the number of times each message is allowed, so you can configure how many failed attempt will trigger the ban directly in Fail2Ban config file.

johnsmith0815 · 30 October 2018 19:19

I have, but it does not work. As far as I understand it does the regex string need to at least get the IP address.
When I test the filter with fail2ban-regex I get following error Message:
root@localhost:/var/www/html/# fail2ban-regex suitecrm.log /etc/fail2ban/filter.d/suite-crm.conf


Running tests
=============

Use   failregex filter file : suite-crm, basedir: /etc/fail2ban
Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 549, in <module>
    fail2banRegex.readRegex(cmd_regex, 'fail') or sys.exit(-1)
  File "/usr/bin/fail2ban-regex", line 319, in readRegex
    'add%sRegex' % regextype.title())(regex.getFailRegex())
  File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 110, in addFailRegex
    raise e
  File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 102, in addFailRegex
    regex = FailRegex(value)
  File "/usr/lib/python3/dist-packages/fail2ban/server/failregex.py", line 215, in __init__
    raise RegexException("No 'host' group in '%s'" % self._regex)
fail2ban.server.failregex.RegexException: No 'host' group in 'FAILED LOGIN:'

pgr · 30 October 2018 20:56

Ok, try

FAILED LOGIN.*

This will match until the end of the line.

In case you need something different, I always use this fantastic website to test my Regexps:

https://regex101.com/

It’s easy to try things out there, and understand what it’s doing.

johnsmith0815 · 31 October 2018 19:04

Hey, thank you so much for helping me.

Your suggestion with just matchig ‘FAILED LOGIN.’
did not work out for me, fail2ban needs to be told where in the line the ip address is to be found
fail2ban-client[14185]: ERROR NOK: ("No ‘host’ group in 'FAILED LOGIN.’",)

But with the help of regex101 I did manage to stitch together an expression that works:


failregex = FAILED LOGIN:attempts\[.*.\], ip\[<HOST>\]

And now I get following in the fail2ban.log when I try to login with the wrong password 5x:


2018-10-31 19:52:06,981 fail2ban.filter         [9982]: INFO    [suite-crm] Found xxx.xxx.163.236
2018-10-31 19:52:11,226 fail2ban.filter         [9982]: INFO    [suite-crm] Found xxx.xxx.163.236
2018-10-31 19:52:17,174 fail2ban.filter         [9982]: INFO    [suite-crm] Found xxx.xxx.163.236
2018-10-31 19:52:20,835 fail2ban.filter         [9982]: INFO    [suite-crm] Found xxx.xxx.163.236
2018-10-31 19:52:24,265 fail2ban.filter         [9982]: INFO    [suite-crm] Found xxx.xxx.163.236
2018-10-31 19:52:25,307 fail2ban.actions        [9982]: NOTICE  [suite-crm] Ban xxx.xxx.163.236

pgr · 31 October 2018 19:57

Cool. Now I understand how Fail2Ban works.

I should turn this into a Technical blog post one day…

Thanks!

cperrot · 10 January 2019 19:50

Ok here a quick how to in Ubuntu 18.04

Create a file in /etc/fail2ban/filter.d/suitecrm.conf

Add following filter:


# Fail2Ban filter for suitecrm
#
[INCLUDES]
before = common.conf

[Definition]
_daemon = suitecrm

failregex = FAILED LOGIN:attempts\[.*.\], ip\[<HOST>\]
ignoreregex =

Then add an SuiteCRM entry in /etc/fail2ban/fail.conf


[suitecrm]
enabled = true
filter = suitecrm
port   = http,https
sendmail-whois[name=WEBMIN, dest=<email@dest.com>, sender=<sender@from.com>]
logpath = /var/www/<suitecrmInstallFolder>/suitecrm.log
maxretry = 5

That should do the trick.
Enjoy

obekatli · 19 November 2019 13:43

btw, if someone experience this does not work on CentOS, remember that checking the audit.log.

Some SELinux adjustment required to permit Fail2Ban to use suitecrm.log in CentOS 7 or 8 depending on your preference. After that it really works and does the job.

01systems · 2 March 2020 00:59

Great work everyone, thank you. Confirmed works!

Chain f2b-suitecrm (1 references)
target prot opt source destination
REJECT all – 222.222.222.186 0.0.0.0/0 reject-with icmp-port-unreachable

LionSolution · 10 February 2023 16:19

Howdy, we created CRM Defender exactly for that purpose. It’s banning a User’IP editing the htaccess file.

pstevens · 11 April 2023 19:17

Hey all, I used some info from this post in putting together a tutorial for how to setup Fail2Ban for SuiteCRM. You can find it on my blog:

Fail2Ban SuiteCRM Tutorial