After.JPG
Before.JPG
[ZBXNEXT-8709] Zabbix and Fail2ban Intergration (logging failed login attempts to file) Created: 2023 Sep 14 Updated: 2023 Oct 12 |
|
| Status: | Open |
| Project: | ZABBIX FEATURE REQUESTS |
| Component/s: | Frontend (F) |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature Request | Priority: | Trivial |
| Reporter: | Rayg00n | Assignee: | Valdis Murzins |
| Resolution: | Unresolved | Votes: | 2 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
After.JPG
Before.JPG
|
| Description |
|
It would be great to have a simple integration between Zabbix Frontend and Fail2ban to easily protect Zabbix from intrusions. The main idea is - logging failed login attempts to file (nginx logs, apache logs, etc.). Example for Nginx: 1. Make simple functions inside /usr/share/zabbix/include/classes/user/CWebUser.php according to the link https://www.reddit.com/r/zabbix/comments/ng13jl/zabbix_5_frontend_failed_logins_log/ . public static function login(string $login, string $password): bool { try { self::$data = API::User()->login([ 'username' => $login, 'password' => $password, 'userData' => true ]); if (!self::$data) { throw new Exception(); } API::getWrapper()->auth = [ 'type' => CJsonRpc::AUTH_TYPE_FRONTEND, 'auth' => self::$data['sessionid'] ]; if (self::$data['gui_access'] == GROUP_GUI_ACCESS_DISABLED) { error(_('GUI access disabled.')); throw new Exception(); } if (isset(self::$data['attempt_failed']) && self::$data['attempt_failed']) { CProfile::init(); CProfile::update('web.login.attempt.failed', self::$data['attempt_failed'], PROFILE_TYPE_INT); CProfile::update('web.login.attempt.ip', self::$data['attempt_ip'], PROFILE_TYPE_STR); CProfile::update('web.login.attempt.clock', self::$data['attempt_clock'], PROFILE_TYPE_INT); if (!CProfile::flush()) { return false; } } // Registro de inicio de sesión exitoso self::writeLoginLog($login, true); return true; } catch (Exception $e) { // Registro de inicio de sesión fallido self::writeLoginLog($login, false); self::setDefault(); return false; } } // Funcion logger private static function writeLoginLog(string $login, bool $success): void { $logMessage = $success ? 'Login success: ' : 'Login failure: '; $logMessage .= $login; error_log($logMessage); } 2. Create new simple fail2ban filter like that /etc/fail2ban/filter.d/nginx-http-auth-zabbix.conf:
[Definition]
failregex = \[error\].+Login failure: .+while reading response header from upstream, client: <HOST>, server:.+request: .POST
3. Enable the new filter's configuration in your /etc/fail2ban/jail.local: [nginx-http-auth-zabbix] enabled = true port = http,https filter = nginx-http-auth-zabbix logpath = /var/log/nginx/*error.log maxretry = 5 findtime = 60 bantime = 600 4. Restart services (zabbix-server,nginx,fail2ban) to take effect. Tested on:
It will work for Appache too, just change the fail2ban configuration according to the official manual. |
| Comments |
| Comment by dimir [ 2023 Sep 14 ] |
|
Looks similar to ZBXNEXT-7426 |
| Comment by Rayg00n [ 2023 Sep 14 ] |
|
It would be nice to combine them into one with an example of solution above |
| Comment by Georges Bou Rjeily [ 2023 Oct 12 ] |
|
The procedure mentioned above is very straightforward to execute:
2- after finishing the installation and prerequisites, you need to follow the above steps mentioned in the description of this article. cd /usr/share/zabbix/include/classes/user/ nano /usr/share/zabbix/include/classes/user/CWebUser.php 3- copy and paste the Above modified code to public static function login (See screenshot Before modification and after modification) 4- continue to create jail filter as mentioned in step 2 and 3 5- now go to the hyperlink site (how to protect a nginx...) and continue to step 4
NB: while testing or when checking results later keep in mind that you have to use the same jail filter name instead of the default one. EX: default filter name is: New filter name is. |