Fail2ban Config for CheckMk Authentication over Web UI
This is a example fail2ban config for failed login attempts in the CheckMK Web UI Login Form.
CheckMK logs failed login attempts for each site separately at ~/var/log/web.log
(relative path from the site's user).
To view them, type sudo ls -l /omd/sites/*/var/log/web.log
Or as a checkmk user: First change to the user of your checkmk site with omd su <sitename>
, then type ls ~/var/log/web.log
- If not already done, install fail2ban (e.g. for Ubuntu:
apt install fail2ban
) - Create 2 new files and copy the content from the gist at
- /etc/fail2ban/filter.d/checkmk-auth.conf
- /etc/fail2ban/jail.d/checkmk-auth.conf
- If needed, change the port or add additional ports at line 8 in
/etc/fail2ban/jail.d/checkmk-auth.conf
for your checkmk sites (each site has its own port. See the docs for more information about used ports: https://docs.checkmk.com/latest/en/ports.html#loopback) - To test your fail2ban config, run
fail2ban-regex /omd/sites/*/var/log/web.log /etc/fail2ban/filter.d/checkmk-auth.conf
- Reload fail2ban to activate the config:
fail2ban-client reload --restart checkmk-auth
orsystemctl reload fail2ban.service
- Check if fail2ban knows about the new jail:
fail2ban-client status checkmk-auth
To test your fail2ban config
- Make some login attempts that will fail (wrong username or password)
- To test the filter, run
fail2ban-regex /omd/sites/*/var/log/web.log /etc/fail2ban/filter.d/checkmk-auth.conf
- To test the jail, run
fail2ban-client status checkmk-auth
To see statistics about the checkmk-auth jail, run fail2ban-client status checkmk-auth