Skip to content

Instantly share code, notes, and snippets.

Created May 20, 2020 07:54
What would you like to do?
Harden Cacti with Fail2Ban

Fail2Ban and Cacti


  • Ubuntu 20.04
  • cacti, fail2ban and e.g. iptables are installed


Create simple Fail2ban filter:

failregex = ^.* Local Login Failed for user \'.*\' from IP Address \'<HOST>\'.
ignoreregex =

Save it to a file called filter.d/cacti.local within your Fail2ban configuration directory, e.g. /etc/fail2ban, or /usr/local/etc/fail2ban on FreeBSD. Finally, extend your jail.local, (under e.g. /etc/fail2ban/jail.local) e.g.:

enabled = true
filter = cacti
logpath = /var/log/cacti/cacti.log
maxretry = 3

Either restart Fail2ban, or activate the new jail:

fail2ban-client add cacti
fail2ban-client start cacti



# fail2ban-regex cacti/cacti.log /etc/fail2ban/filter.d/cacti.conf --print-all-matched

Running tests

Use   failregex filter file : cacti, basedir: /etc/fail2ban
Use         log file : cacti/cacti.log
Use         encoding : UTF-8


Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^.* Local Login Failed for user \'.*\' from IP Address \'<HOST>\'.

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1242] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?

Lines: 1242 lines, 0 ignored, 1 matched, 1241 missed
[processed in 0.05 sec]

|- Matched line(s):
|  2020/05/19 16:33:12 - AUTH LOGIN: Local Login Failed for user 'sdsdsdsd' from IP Address ''.
Missed line(s): too many to print.  Use --print-all-missed to print all 1241 lines
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment