Fail2Ban plugin

A Kimai plugin, which logs an error message for every failed login attempt to a dedicated logfile.

This logfile can be analyzed by fail2ban to block access and prevent authentication attacks.

Fail2Ban configurations

You should know how to use and configure fail2ban, we cannot help with that part! Having said that, here are some possible rules for your fail2ban configuration.

First the Kimai specific filter:

#/etc/fail2ban/filter.d/kimai2.conf
[Definition]
failregex = fail2ban.ERROR: <HOST> \[.*\] \[.*\]$

And the additional jail.local for Kimai2:

#/etc/fail2ban/jail.local
[kimai2]
enabled   = true
filter    = kimai2
logpath   = /var/www/kimai2/var/log/fail2ban.log
port      = http,https
bantime   = 600
banaction = iptables-multiport
maxretry  = 3

Credits

• Bundle inspired by this blog entry
• Thanks also to @BeckeBauer for the idea and the initial try
• Find config documentation in the fail2ban wiki

Copy files

Extract the ZIP file and upload the included directory and all files to your Kimai installation to the new directory:

var/plugins/Fail2BanBundle/

Or you can clone it directly to the var/plugins/ directory of your Kimai installation:

cd kimai/var/plugins/
git clone https://github.com/Keleo/Fail2BanBundle.git Fail2BanBundle

The file structure needs to look like this afterwards:

var/plugins/
├── Fail2BanBundle
│   ├── Fail2BanBundle.php
|   └ ... more files and directories follow here ...

Clear cache

After uploading the files, Kimai needs to know about the new plugin. It will be found once the cache was re-built. Call these commands from the Kimai directory:

bin/console kimai:reload --env=prod

rm -r var/cache/prod/*

You might have to set file permissions afterwards:

chown -R :www-data .
chmod -R g+r .
chmod -R g+rw var/
chmod -R g+rw public/avatars/

Updating the plugin works exactly like the installation:

• Delete the directory var/plugins/Fail2BanBundle/
• Execute all installation steps again:
  • Copy files
  • Clear cache