Fail2Ban and Cacti
Prerequsits
- Ubuntu 20.04
- cacti, fail2ban and e.g. iptables are installed
Setup
Create simple Fail2ban filter:
[Definition]
failregex = ^.* Local Login Failed for user \'.*\' from IP Address \'<HOST>\'.
ignoreregex =
Save it to a file called filter.d/cacti.local within your Fail2ban configuration directory, e.g. /etc/fail2ban, or /usr/local/etc/fail2ban on FreeBSD.
Finally, extend your jail.local, (under e.g. /etc/fail2ban/jail.local) e.g.:
[cacti]
enabled = true
filter = cacti
logpath = /var/log/cacti/cacti.log
maxretry = 3
Either restart Fail2ban, or activate the new jail:
fail2ban-client add cacti
fail2ban-client start cacti
Enjoy
Test
# fail2ban-regex cacti/cacti.log /etc/fail2ban/filter.d/cacti.conf --print-all-matched
Running tests
=============
Use failregex filter file : cacti, basedir: /etc/fail2ban
Use log file : cacti/cacti.log
Use encoding : UTF-8
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^.* Local Login Failed for user \'.*\' from IP Address \'<HOST>\'.
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1242] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 1242 lines, 0 ignored, 1 matched, 1241 missed
[processed in 0.05 sec]
|- Matched line(s):
| 2020/05/19 16:33:12 - AUTH LOGIN: Local Login Failed for user 'sdsdsdsd' from IP Address '10.10.10.10'.
`-
Missed line(s): too many to print. Use --print-all-missed to print all 1241 lines