You can easily configure fail2ban to monitor failed login attempts for you ISPConfig 3 control panel installation. In this article, I assume you already have a working ISPConfig 3 installation with fail2ban installed. Example: The Perfect Server – Debian 8 Jessie (Apache2, BIND, Dovecot, ISPConfig 3)
Create the ISPConfig 3 Filter
The first thing we need to do is create a filter for ISPconfig in the /etc/fail2ban/filter.d/ directory.
Add the following definition so the filter knows what to look for in the /var/log/ispconfig/auth.log for ISPConfig 3.
[Definition] failregex = Failed login for user .* from <HOST> ignoreregex =
Configuring the ISPConfig 3 Jail
Open, or create the /etc/fail2ban/jail.local file.
Add the following rules for the jail to the bottom of the /etc/fail2ban/jail.local file.
[ispconfig] enabled = true port = 8080 filter = ispconfig logpath = /var/log/ispconfig/auth.log maxretry = 3
Restart fail2ban to load your new jail for ISPConfig 3 failed login attempts.
service fail2ban restart
You can/should test the new configuration by running the following command.
fail2ban-regex /var/log/ispconfig/auth.log /etc/fail2ban/filter.d/ispconfig.conf
Below is a sample of what should be displayed if everything was successful.
root@server:/# fail2ban-regex /var/log/ispconfig/auth.log /etc/fail2ban/filter.d/ispconfig.conf Running tests ============= Use regex file : /etc/fail2ban/filter.d/ispconfig.conf Use log file : /var/log/ispconfig/auth.log Results ======= Failregex |- Regular expressions: |  Failed login for user .* from
| `- Number of matches:  5 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found:  192.168.1.100 (Mon Aug 17 08:29:35 2015) 192.168.1.151 (Mon Aug 17 08:29:35 2015) 192.168.1.202 (Mon Aug 17 08:29:35 2015) 192.168.1.100 (Tue Aug 18 19:11:05 2015) 192.168.1.100 (Sat Aug 29 15:44:05 2015) Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 187 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Year.Month.Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): Success, the total number of match is 5 However, look at the above section 'Running tests' which could contain important information. root@server:/#
Note: If there are no failed login attempts to the ISPConfig 3 hosting control panel, you will not see any match(es) using above test command.
In a different post, I will show you how to setup & configure fail2ban to run as a user that is not “root”. It is optimal to run fail2ban as a user other then “root” for security reasons.
Notable Resources with Links
Error Reporting & Article Improvements
Did you spot an error in this article? Do you know a better way to accomplish the task at hand? Please leave your comment below with any corrections, improvements, or alternatives.