Add support for the Usermin jail in Fail2ban

iliaross · iliaross · commit 2c37aa9ed621 · 2026-02-16T13:25:06.000+02:00
https://forum.virtualmin.com/t/is-there-no-fail2ban-jail-for-usermin/136622/
diff --git a/lib/Virtualmin/Config/Plugin/Fail2ban.pm b/lib/Virtualmin/Config/Plugin/Fail2ban.pm
@@ -31,7 +31,7 @@ sub actions {
     $log->info("Cannot configure Fail2ban module as Firewall module is not installed");
     $self->done(2);
   }
-print "XXXXXX\n\n";
+
   $self->spin();
   eval {
     if (has_command('fail2ban-server')) {
@@ -43,6 +43,11 @@ print "XXXXXX\n\n";
       create_fail2ban_jail($self);
       create_fail2ban_firewalld();
 
+      # Setup custom Usermin jail
+      if (foreign_installed('usermin')) {
+        create_fail2ban_usermin_jail();
+      }
+
       # Switch backend to use systemd to avoid failure on
       # fail2ban starting when actual log file is missing
       # e.g.: Failed during configuration: Have not found
@@ -120,6 +125,10 @@ my $mini_stack =
 my $proftpd_block = $mini_stack ? '' :
     "[proftpd]\n" .
     "enabled = true\nport = ftp,ftp-data,ftps,ftps-data,2222$proftpd_jail_extra\n\n";
+my $usermin_block = foreign_installed('usermin') && -d '/etc/fail2ban/filter.d'
+  ? "\n\n[usermin-auth]\nenabled = true\njournalmatch = ".
+    "_SYSTEMD_UNIT=usermin.service"
+  : '';
 
   open(my $JAIL_LOCAL, '>', '/etc/fail2ban/jail.local');
   print $JAIL_LOCAL <<EOF;
@@ -137,7 +146,7 @@ enabled = true
 
 [webmin-auth]
 enabled = true
-journalmatch = _SYSTEMD_UNIT=webmin.service
+journalmatch = _SYSTEMD_UNIT=webmin.service${usermin_block}
 
 EOF
 
@@ -160,4 +169,29 @@ EOF
   }    # XXX iptables-multiport is default on CentOS, double check others.
 }
 
+# Custom jail for Usermin, to protect against brute-force attacks on the login
+# page
+sub create_fail2ban_usermin_jail {
+  return if (!-d '/etc/fail2ban/filter.d');
+  open(my $USERMIN_JAIL, '>', '/etc/fail2ban/filter.d/usermin-auth.conf');
+  print $USERMIN_JAIL <<'EOF';
+# Fail2Ban filter for usermin
+# created by Virtualmin installer
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = usermin
+
+failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
+            ^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
+
+ignoreregex =
+EOF
+  close $USERMIN_JAIL;
+}
+
 1;
diff --git a/lib/Virtualmin/Config/Plugin/Fail2banFirewalld.pm b/lib/Virtualmin/Config/Plugin/Fail2banFirewalld.pm
@@ -62,9 +62,14 @@ sub actions {
       create_fail2ban_jail($self);
       create_fail2ban_firewalld();
 
-# Switch backend to use systemd to avoid failure on
-# fail2ban starting when actual log file is missing
-# e.g.: Failed during configuration: Have not found any log file for [name] jail
+      # Setup custom Usermin jail
+      if (foreign_installed('usermin')) {
+        create_fail2ban_usermin_jail();
+      }
+
+      # Switch backend to use systemd to avoid failure on fail2ban starting when
+      # actual log file is missing e.g.: Failed during configuration: Have not
+      # found any log file for [name] jail
       &foreign_require('fail2ban');
       my $jfile = "$fail2ban::config{'config_dir'}/jail.conf";
       my @jconf = &fail2ban::parse_config_file($jfile);
@@ -138,6 +143,10 @@ my $mini_stack =
 my $proftpd_block = $mini_stack ? '' :
     "[proftpd]\n" .
     "enabled = true\nport = ftp,ftp-data,ftps,ftps-data,2222$proftpd_jail_extra\n\n";
+my $usermin_block = foreign_installed('usermin') && -d '/etc/fail2ban/filter.d'
+  ? "\n\n[usermin-auth]\nenabled = true\njournalmatch = ".
+    "_SYSTEMD_UNIT=usermin.service"
+  : '';
 
   open(my $JAIL_LOCAL, '>', '/etc/fail2ban/jail.local');
   print $JAIL_LOCAL <<EOF;
@@ -155,7 +164,7 @@ enabled = true
 
 [webmin-auth]
 enabled = true
-journalmatch = _SYSTEMD_UNIT=webmin.service
+journalmatch = _SYSTEMD_UNIT=webmin.service${usermin_block}
 
 EOF
 
@@ -178,4 +187,29 @@ EOF
   }
 }
 
+# Custom jail for Usermin, to protect against brute-force attacks on the login
+# page
+sub create_fail2ban_usermin_jail {
+  return if (!-d '/etc/fail2ban/filter.d');
+  open(my $USERMIN_JAIL, '>', '/etc/fail2ban/filter.d/usermin-auth.conf');
+  print $USERMIN_JAIL <<'EOF';
+# Fail2Ban filter for usermin
+# created by Virtualmin installer
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = usermin
+
+failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
+            ^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
+
+ignoreregex =
+EOF
+  close $USERMIN_JAIL;
+}
+
 1;
diff --git a/lib/Virtualmin/Config/Plugin/Usermin.pm b/lib/Virtualmin/Config/Plugin/Usermin.pm
@@ -46,6 +46,7 @@ sub actions {
     usermin::get_usermin_miniserv_config(\%uminiserv);
     $uminiserv{'preroot'}         = "authentic-theme";
     $uminiserv{'ssl'}             = "1";
+    $uminiserv{'syslog'}          = "1";
     $uminiserv{'ssl_cipher_list'} = $webmin::strong_ssl_ciphers;
     $uminiserv{'domainuser'}      = 1;
     $uminiserv{'domainstrip'}     = 1;
