Ad Widget

Collapse

Detect failed zabbix login attemps and trigger fail2ban

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • pepito
    Junior Member
    • Jul 2014
    • 3
    #1

    Detect failed zabbix login attemps and trigger fail2ban

    Hi all,

    I got this morning a warning about more than 100 login attemps to the "Admin" account on my zabbix server. Sounds nasty.

    I can not find any logs showing the failed attemps, which could be used to trigger fail2ban (I am using DebugLevel=4 in zabbix_server.conf).

    I am using zabbix 2.4.2.

    Any idea how to get this information in the logs?

    Thanks,
    Pepito
    Tags: None
    • dave_t
      Junior Member
      • Apr 2007
      • 28
      #2
      Hi Pepito,

      I'm just looking to do the same thing with fail2ban.

      I'm running zabbix-server and apach2 on Ubunt20.04.

      I've checked the apache "error_log" and there's nothing in there when I force a failed login attempt, but I do see a message in the apache "access_log", but that gives a "200", which according to https://www.w3.org/Protocols/rfc2616/rfc2616.txt is part of the "Successful Status Codes (beginning with 2xx)"
      10.2.1 200 OK .................................................. .58"

      I appreciate that the version of Zabbix I'm running (5.2.5) has a ban module already implemented, which blocks a user for a predetermined amount of time, and I could probably figure out where that is defined in the zabbix PHP, but that will be overwritten at the next update, so was wondering if you (or anybody else) managed to get "fail2ban" to work with failed logins to Zabbix?

      Thanks,

      David

        Comment

        • dave_t
          Junior Member
          • Apr 2007
          • 28
          #3
          last message got posted twice ?!
          Last edited by dave_t; 01-03-2021, 22:38. Reason: last message got posted twice ?!

            Comment

            Previous template Next
            Working...