Question?
Does anyone know how to get Allmon3 to log 401 unauthorized attempts to the log? This would be to enable fail2ban to block the ip of the offender after numerous attempts to brute force the login. Already have Crowdsec running banning IP's automatically in conjunction with fail2ban and UFW, but still seeing in the logs over 100+ attempts daily coming from other countries trying to brute force the VM running Allmon3.
Thanks,
Ian - K6IAN
Allmon3 (the web monitoring interface) does not log HTTP 401 messages. What are you trying to accomplish - brute-forcing the Allmon3 login modal? Or something else.
Looking to be proactive from a security standpoint. Have failed login attempts logged some where, so I can have fail2ban block the IP offenders.
-Ian
But you're talking specifically about the Allmon3 login modal, correct? Since the webserver itself is not controlling access, it will not throw an HTTP 401 or 403. What I would suggest is, if you're using fail2ban, trigger on some M attempts at requesting GET /allmon3/master/auth/check over N seconds and if hit it, block that IP. That full URI path is only used for handling the login.
Yes, this is specifically regarding the Allmon3 login modal. I’ll give what you suggested a try and report back my findings. Ultimately, looking for a way to ban an IP address for a set period of time for ‘x’ number of failed attempts to authenticate via the login for Allmon3.
Thank you!
Not to the log unless you specify the file but...
You can specify in ,htaccess and create your own log of any error code you specify.
Log the IP if you wish. Redirect the hit. etc.
Google is your friend. I don't have a quick example to share handy.
But I have done this many times in the past.
This will not do anything. Allmon3 is not protected by the webserver's HTTP protocol stack and thus there will never be an HTTP 401 error generated. Ever.
He did not ask for protection.
Just a log.
Yes,you can do it with .hraccess. A log anyway. could be the same log if you wanted it.
I did not say it would protect him from anything.
But you could automatically write the ip to the iptables .
Much easier to do with CSF.& mod security.
Ian, the simplest way to do this is to insert these 2 lines in the php code where a login was 'NOT' successful .
$line = substr($user, 0, 6) . " - " . date(‘Y-m-d H:i:s’) . " - $_SERVER[REMOTE_ADDR]";
file_put_contents(‘iplog.txt’, $line . PHP_EOL, FILE_APPEND);
Will log first 6 chars of 'user' with IP to iplog.txt of the current directory. (modifiable)
With a day/time stamp
Probably just above this line in login.php
// Password didn't match. Bail out.
Then if it is a repetitive IP, you can ban it with firewall.
But more experienced hacks use multi VPN's so the IP's change often.
This is one I used in allmon2 myself.
Let us know if you try it and it worked for you..
Allmon3 does not use PHP nor will Allmon3 will not throw an HTTP status code for a failed login. The method I suggested above is the best way to deal with this if you want to use on-system logging.
Well, I has assumed the allmon code included with my asl3 x86 install was allmon 3 when I looked at it.