Custom fail2ban Filter
Posted
by
Michael Robinson
on Server Fault
See other posts from Server Fault
or by Michael Robinson
Published on 2012-10-05T00:31:12Z
Indexed on
2012/10/05
3:40 UTC
Read the original article
Hit count: 624
In my quest to block excessive failed phpMyAdmin
login attempts with fail2ban
, I've created a script that logs said failed attempts to a file: /var/log/phpmyadmin_auth.log
Custom log
The format of the /var/log/phpmyadmin_auth.log
file is:
phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php
phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php
Custom filter
[Definition]
# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;
phpMyAdmin jail
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
action = sendmail-whois[name=HTTP]
logpath = /var/log/phpmyadmin_auth.log
maxretry = 6
The fail2ban
log contains:
2012-10-04 10:52:22,756 fail2ban.server : INFO Stopping all jails
2012-10-04 10:52:23,091 fail2ban.jail : INFO Jail 'ssh-iptables' stopped
2012-10-04 10:52:23,866 fail2ban.jail : INFO Jail 'fail2ban' stopped
2012-10-04 10:52:23,994 fail2ban.jail : INFO Jail 'ssh' stopped
2012-10-04 10:52:23,994 fail2ban.server : INFO Exiting Fail2ban
2012-10-04 10:52:24,253 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-10-04 10:52:24,253 fail2ban.jail : INFO Creating new jail 'ssh'
2012-10-04 10:52:24,253 fail2ban.jail : INFO Jail 'ssh' uses poller
2012-10-04 10:52:24,260 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-10-04 10:52:24,260 fail2ban.filter : INFO Set maxRetry = 6
2012-10-04 10:52:24,261 fail2ban.filter : INFO Set findtime = 600
2012-10-04 10:52:24,261 fail2ban.actions: INFO Set banTime = 600
2012-10-04 10:52:24,279 fail2ban.jail : INFO Creating new jail 'ssh-iptables'
2012-10-04 10:52:24,279 fail2ban.jail : INFO Jail 'ssh-iptables' uses poller
2012-10-04 10:52:24,279 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-10-04 10:52:24,280 fail2ban.filter : INFO Set maxRetry = 5
2012-10-04 10:52:24,280 fail2ban.filter : INFO Set findtime = 600
2012-10-04 10:52:24,280 fail2ban.actions: INFO Set banTime = 600
2012-10-04 10:52:24,287 fail2ban.jail : INFO Creating new jail 'fail2ban'
2012-10-04 10:52:24,287 fail2ban.jail : INFO Jail 'fail2ban' uses poller
2012-10-04 10:52:24,287 fail2ban.filter : INFO Added logfile = /var/log/fail2ban.log
2012-10-04 10:52:24,287 fail2ban.filter : INFO Set maxRetry = 3
2012-10-04 10:52:24,288 fail2ban.filter : INFO Set findtime = 604800
2012-10-04 10:52:24,288 fail2ban.actions: INFO Set banTime = 604800
2012-10-04 10:52:24,292 fail2ban.jail : INFO Jail 'ssh' started
2012-10-04 10:52:24,293 fail2ban.jail : INFO Jail 'ssh-iptables' started
2012-10-04 10:52:24,297 fail2ban.jail : INFO Jail 'fail2ban' started
When I issue:
sudo service fail2ban restart
fail2ban
emails me to say ssh
has restarted, but I receive no such email about my phpmyadmin
jail. Repeated failed logins to phpMyAdmin
does not cause an email to be sent.
Have I missed some critical setup? Is my filter's regular expression wrong?
Update: added changes from default installation
Starting with a clean fail2ban
installation:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Change email address to my own, action to:
action = %(action_mwl)s
Append the following to jail.local
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
action = sendmail-whois[name=HTTP]
logpath = /var/log/phpmyadmin_auth.log
maxretry = 4
Add the following to /etc/fail2ban/filter.d/phpmyadmin.conf
# phpmyadmin configuration file
#
# Author: Michael Robinson
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
# Ignore our own bans, to keep our counts exact.
# In your config, name your jail 'fail2ban', or change this line!
ignoreregex =
Restart fail2ban
sudo service fail2ban restart
PS: I like eggs
© Server Fault or respective owner