Harden Cacti with Fail2Ban

fail2ban_cacti.md

Fail2Ban and Cacti

Prerequsits

• Ubuntu 20.04
• cacti, fail2ban and e.g. iptables are installed

Setup

Create simple Fail2ban filter:

[Definition]
failregex = ^.* Local Login Failed for user \'.*\' from IP Address \'<HOST>\'.
ignoreregex =

Save it to a file called filter.d/cacti.local within your Fail2ban configuration directory, e.g. /etc/fail2ban, or /usr/local/etc/fail2ban on FreeBSD. Finally, extend your jail.local, (under e.g. /etc/fail2ban/jail.local) e.g.:

[cacti]
enabled = true
filter = cacti
logpath = /var/log/cacti/cacti.log
maxretry = 3

Either restart Fail2ban, or activate the new jail:

fail2ban-client add cacti
fail2ban-client start cacti

Enjoy

Test

# fail2ban-regex cacti/cacti.log /etc/fail2ban/filter.d/cacti.conf --print-all-matched

Running tests
=============

Use   failregex filter file : cacti, basedir: /etc/fail2ban
Use         log file : cacti/cacti.log
Use         encoding : UTF-8


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^.* Local Login Failed for user \'.*\' from IP Address \'<HOST>\'.
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1242] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 1242 lines, 0 ignored, 1 matched, 1241 missed
[processed in 0.05 sec]

|- Matched line(s):
|  2020/05/19 16:33:12 - AUTH LOGIN: Local Login Failed for user 'sdsdsdsd' from IP Address '10.10.10.10'.
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 1241 lines