Skip to content

Instantly share code, notes, and snippets.

@kimdre

kimdre/README.md

Last active March 6, 2024 00:50
Show Gist options
  • Save kimdre/248507dfc17d8b20bd05d406a8c28748 to your computer and use it in GitHub Desktop.
Save kimdre/248507dfc17d8b20bd05d406a8c28748 to your computer and use it in GitHub Desktop.
Download ZIP
Fail2ban Config for CheckMk Authentication over Web UI
Raw
README.md

CheckMk Web Auth Fail2ban Config

Fail2ban Config for CheckMk Authentication over Web UI

This is a example fail2ban config for failed login attempts in the CheckMK Web UI Login Form.

Setup

Check for log files

CheckMK logs failed login attempts for each site separately at ~/var/log/web.log (relative path from the site's user). To view them, type sudo ls -l /omd/sites/*/var/log/web.log Or as a checkmk user: First change to the user of your checkmk site with omd su <sitename>, then type ls ~/var/log/web.log

Create Fail2Ban Filter and Jail

  1. If not already done, install fail2ban (e.g. for Ubuntu: apt install fail2ban)
  2. Create 2 new files and copy the content from the gist at
  • /etc/fail2ban/filter.d/checkmk-auth.conf
  • /etc/fail2ban/jail.d/checkmk-auth.conf
  1. If needed, change the port or add additional ports at line 8 in /etc/fail2ban/jail.d/checkmk-auth.conf for your checkmk sites (each site has its own port. See the docs for more information about used ports: https://docs.checkmk.com/latest/en/ports.html#loopback)
  2. To test your fail2ban config, run fail2ban-regex /omd/sites/*/var/log/web.log /etc/fail2ban/filter.d/checkmk-auth.conf
  3. Reload fail2ban to activate the config: fail2ban-client reload --restart checkmk-auth or systemctl reload fail2ban.service
  4. Check if fail2ban knows about the new jail: fail2ban-client status checkmk-auth

Testing

To test your fail2ban config

  1. Make some login attempts that will fail (wrong username or password)
  2. To test the filter, run fail2ban-regex /omd/sites/*/var/log/web.log /etc/fail2ban/filter.d/checkmk-auth.conf
  3. To test the jail, run fail2ban-client status checkmk-auth

Statistics

To see statistics about the checkmk-auth jail, run fail2ban-client status checkmk-auth

Raw
filter.d_checkmk-auth.conf
# checkmk-auth configuration file
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = Login failed for username: <F-USER>.*</F-USER> \(existing: .*, locked: .*, failed logins until locked: .*\), client: <HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S,%%f\s
Raw
jail.d_checkmk-auth.conf
[checkmk-auth]
enabled = true
filter = checkmk-auth
# See the docs for information about used ports: https://docs.checkmk.com/latest/en/ports.html#loopback
# Specify a single port (port=5000) and multiple ports comma-separated (e.g. port=5000,5001,5002) or as a range (e.g. port=5000:5010)
port=5000:5100
action = iptables-multiport[name=checkmk-auth, protocol=tcp]
logpath = /omd/sites/*/var/log/web.log
maxretry = 5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment