Heyo, I wanted to log wrong logins into syslog so that fail2ban can parse it and ban the attacker's IP. - Yes, I know, ISPConfig has a similar feature but I want to do this nonetheless. - Yes, I know, ISPConfig logs wrong logins too, but only on DEBUG Level and I don't want the clutter. Neither do I want to change ispconfig files. So I wrote a quick plugin: /usr/local/ispconfig/server/plugins-available/login_fail2ban_plugin.inc.php PHP: <?php class login_fail2ban_plugin { var $plugin_name = 'login_fail2ban_plugin'; var $class_name = 'login_fail2ban_plugin'; //* This function is called during ispconfig installation to determine // if a symlink shall be created for this plugin. function onInstall() { return true; } /* This function is called when the plugin is loaded */ function onLoad() { global $app; /* Register for the events */ $app->plugins->registerEvent('login_failed',$this->plugin_name,'log_fail'); } function log_failed($event_name,$data) { openlog("ispconfig", LOG_PID | LOG_PERROR, LOG_LOCAL0); syslog(LOG_WARNING, "Login failed for user $_POST['username'] on IP $_SERVER['REMOTE_ADDR']"); } } // end class ?> and then I created a symlink in /usr/local/ispconfig/server/plugins-enabled lrwxrwxrwx 1 ispconfig ispconfig 75 Sep 8 17:39 login_fail2ban_plugin.inc.php -> /usr/local/ispconfig/server/plugins-available/login_fail2ban_plugin.inc.php* But here's the catch: it doesn't load. I tried writing stuff into the onLoad function, too - is doesn't execute. Permissions and owner are set correctly, too: -rwxr-x--- 1 ispconfig ispconfig 766 Sep 8 17:29 plugins-available/login_fail2ban_plugin.inc.php Did I miss anything?
You mix up the uspconfig server and the ispconfig interface. What you wrote above is a ispconfig server plugin, server plugins are used to configure services like apache, postfix etc. When you login to ispconfig, then you interact with the ispconfig interface and not the server, so if you want to react on failed logins, you will have tp write code for the interface and not the server. So your plugin can not work form a logical standpoint and it will never catch a interface event on the server. If you want to log actions of the interface, take a look at the ispconfig svn to see how the login function that you want to replicate is implemented there.
Oh, so I plugged into the wrong backend xD My attempt in itself (if it had been in the right place) should have been correct as login/index.php is raising the event: PHP: 182 //* Incorrect login - Username and password incorrect 183 $error = $app->lng('error_user_password_incorrect'); 184 if($app->db->errorMessage != '') $error .= '<br />'.$app->db->errorMessage != ''; 185 186 $app->plugin->raiseEvent('login_failed',$this); Seems I just need another place to call my registerEvent. I tried it in ~ispconfig/interface/lib/plugins - but that also seems to be a wrong choice. Do you have any pointers for me?
No, its not as the interface events are completely different from server events and what you wrote is a server plugin and not a interface plugin. Interface plugins are written differntly and ue different functions any libraries for the events, take a look at the files in ispconfig/interface/lib/plugins/ to get an idea how they work.
Umh, sorry, but see ~ispconfig/interface/lib/plugins/mail_user_filter_plugin.inc.php (that IS the folder you're pointing to?) PHP: <?php [...] class mail_user_filter_plugin { var $plugin_name = 'mail_user_filter_plugin'; var $class_name = 'mail_user_filter_plugin'; /* This function is called when the plugin is loaded */ function onLoad() { global $app; /* Register for the events */ [...] $app->plugin->registerEvent('mail:mail_user_filter:on_after_update','mail_user_filter_plugin','mail_user_filter_edit'); [...] } function mail_user_filter_edit($event_name,$page_form) { global $app, $conf; [...] } [...] } I might be suffering from tunnel vision but that is the same as I'm doing with the same syntax within (now) the same path?
Oh, FFS, got my error. In server, it's $app->plugins->registerEvent In interface, it's $app->plugin->registerEvent And in case someone else wants to go on plugins: ispconfig stores your plugins in the session, onLoad will only be called once per session. That's quite a useful piece of information - happy cookie deleting!
And here's the final code if anyone wants to do the same: ~ispconfig/interface/lib/plugins/login_fail2ban_plugin.inc.php PHP: class login_fail2ban_plugin { var $plugin_name = 'login_fail2ban_plugin'; var $class_name = 'login_fail2ban_plugin'; /* This function is called when the plugin is loaded */ function onLoad() { global $app; /* Register for the events */ $app->plugin->registerEvent('login_failed',$this->plugin_name,'log_fail'); } function log_fail($event_name,$data) { openlog("ispconfig", LOG_PID | LOG_PERROR, LOG_LOCAL0); syslog(LOG_WARNING, "Login failed for user ".$_POST['username']." on IP ".$_SERVER['REMOTE_ADDR']); } } // end class /etc/rsyslog.d/12-ispconfig.conf Code: if $programname == 'ispconfig' then /var/log/ispconfig.log restart rsyslog Code: service rsyslog restart /etc/fail2ban/filter.d/ispconfig.conf Code: [Definition] failregex = (.*) Login failed for user (.*) on IP <HOST> ignoreregex = test it Code: fail2ban-regex /var/log/ispconfig.log /etc/fail2ban/filter.d/ispconfig.conf and add a jail to your /etc/fail2ban/jail.conf: Code: [ispconfig] enabled = true port = http,https filter = ispconfig logpath = /var/log/ispconfig.log restart fail2ban Code: service fail2ban restart and be happy
