I talked with @stephdl about the possibility to create a jail for WT 5 in his F2B version for NS7.
To do this new feature, in WT 5 log file (/var/log/webtop/webtop.log) is mandatory to be recorded the incoming IP of the client who need to connect to WT 5.
Could you do that?
Unfortunately, the only IP is 127.0.0.1.
And no error messages in case of wrong login (the last login, 26/Feb/2017:00:26:06 +0200, is with wrong password).
EDIT (corrected):
In “/var/log/webtop/webtop.log” there are error messages, but no IPs:
Updated WebTop 5 from nethserver-testing with the last rpm.
Now, in /var/lib/tomcats/webtop/logs, both IPs (WAN and LAN) are recorded.
Foolish questions: because I don’t see in “/var/lib/tomcats/webtop/logs” the errors of the bad logins, to create jail and filter for WT 5 in F2B, can be read the IPs from one log file and the errors from other log file (“/var/log/webtop/webtop.log”)?
If yes, the synchro between the IP and the error can be made by time and date even if the format isn’t the same?.
the filter could be like this in /etc/fail2ban/filter.d/webtop
[Definition]
#this filter is made against brute force attack to webtop
# Author Stephane de Labrusse <stephdl@de-labrusse.fr>
failregex =^<HOST>.-.-.\[.*\] "POST /webtop/login HTTP/1.1" 200
ignoreregex =
If you are interested in the details of a login attempt you can look into the “core”.“syslog” DB table.
In this table we dump some data (like timestamp, user, service, IP, etc…) about events of the platform.
You should look for “LOGIN” and “LOGIN_FAILURE” keys in the action column.
This kind of logging can be enabled in this way:
INSERT INTO “core”.“settings” (“service_id”, “key”, “value”) VALUES (‘com.sonicle.webtop.core’, ‘syslog.enabled’, ‘true’);
I hope that this is suitable for your needs otherwise i will investigate the possibility to change the response code.
like you can see above, good login are different of bad login therefore I can create a regex for matching the bad login…I’m not (only) looking for the http status, but on the line match