How to detect "login failed" event for fail2ban?

[shalak]

I'm looking for a simple solution to setup a fail2ban service. Unfortunately, the apache I have in front of webtrees does not produce 401 error on failed login attempts. Or am I missing something? I'm using a dockerized deployment.

The only idea that comes to my mind is a companion container, which will poll the db (via SELECT * FROM wt_log) and for matching log. Looks expensive :/

[miqrogroove]

Status 401 is only allowed for HTTP authentication protocols. Webtrees does not support those. If your site doesn't have any public features, you could enable TLS and basic auth in Apache, then customize the webtrees login system to read the Apache username. I was going to write a module for that once, but never got around to it.

[shalak]

Is it possible to redirect logs to syslog or textfile?

[fisharebest]

I haven't used fail2ban for a long time, but IIRC it looks for repeated HTTP requests in the apache logs.

So can you set it to look for repeated POST requests to the login URL? i.e. X POSTs in Y seconds => ban for Z hours.

[shalak]

Makes perfect sense, and more cost-effective than polling logs via SQL. Thanks for the tip!