A Kimai plugin, which logs an error message for every failed login attempt to a dedicated logfile.
This logfile can be analyzed by fail2ban to block access and prevent authentication attacks.
This plugin is compatible with the following Kimai releases:
| Bundle version | Minimum Kimai version |
|---|---|
| 2.0 | 2.0.0 |
| 1.1 - 1.2 | 1.18 |
| 1.0 - 1.0.1 | 1.0 |
You find the most notable changes between the versions in the file CHANGELOG.md.
Download and extract the compatible release in var/plugins/ (see plugin docs).
The file structure needs to look like this afterwards:
var/plugins/
├── Fail2BanBundle
│ ├── Fail2BanBundle.php
| └ ... more files and directories follow here ... Then rebuild the cache:
bin/console kimai:reload --env=prodYou should know how to use and configure fail2ban, we cannot help with that part!
Having said that, here are some possible rules for your fail2ban configuration.
First the Kimai specific filter:
#/etc/fail2ban/filter.d/kimai2.conf
[Definition]
failregex = fail2ban.ERROR: <HOST> \[.*\] \[.*\]$
And the additional jail.local for Kimai2:
#/etc/fail2ban/jail.local
[kimai2]
enabled = true
filter = kimai2
logpath = /var/www/kimai2/var/log/fail2ban.log
port = http,https
bantime = 600
banaction = iptables-multiport
maxretry = 3
Now touch the file to make sure it exists:
touch /var/www/kimai2/var/log/fail2ban.log- Bundle inspired by this blog entry
- Thanks to @BeckeBauer for the idea
- Documentation in the fail2ban wiki