Custom fail2ban Filter for phpMyadmin bruteforce attempts

security configuration fail2ban

That's fine but why not using the apache functionality to log failed logins ?

Add these lines to your Apache Config (i.e:/etc/apache2/conf.d/phpmyadmin.conf) in the according VirtualHost Section:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/apache2/phpmyadmin_access.log pma_combined

Then create the fail2ban filter:

/etc/fail2ban/filter.d/phpmyadmin.conf

[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

Now add the jail to /etc/fail2ban/jail.local

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.log

Restart apache and fail2ban:

service  apache2 reload
service fail2ban reload

and you are done, no need of php scripts so on..


  1. You should change your script to include timestamp in log files. Without this, fail2ban will not work

  2. use fail2ban-regex /var/log/phpmyadmin_auth.log /etc/fail2ban/filter.d/phpmyadmin.conf to verify your regex first.

  3. I could start fail2ban successfully using your original configuration (prior to jail.local)

    Oct  7 00:42:07 hostname yum: Installed: python-inotify-0.9.1-1.el5.noarch 
Oct  7 00:42:08 hostname yum: Installed: fail2ban-0.8.4-29.el5.noarch
Oct  7 00:42:10 hostname yum: Installed: phpMyAdmin-2.11.11.3-2.el5.noarch
Oct  7 01:01:03 hostname fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.4
Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Creating new jail 'phpmyadmin'
Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' uses Gamin
Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set maxRetry = 2
Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set findtime = 600
Oct  7 01:01:03 hostname fail2ban.actions: INFO   Set banTime = 600
Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' uses Gamin
Oct  7 01:01:03 hostname fail2ban.filter : INFO   Added logfile = /var/log/secure
Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set maxRetry = 5
Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set findtime = 600
Oct  7 01:01:03 hostname fail2ban.actions: INFO   Set banTime = 600
Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' started
Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' started
Oct  7 01:10:54 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' stopped
Oct  7 01:10:55 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
Oct  7 01:10:55 hostname fail2ban.server : INFO   Exiting Fail2ban
Oct  7 01:10:56 hostname fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.4
Oct  7 01:10:56 hostname fail2ban.jail   : INFO   Creating new jail 'phpmyadmin'
Oct  7 01:10:56 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' uses Gamin
Oct  7 01:10:56 hostname fail2ban.filter : INFO   Added logfile = /var/log/phpmyadmin_auth.log

  4. Once correct regex are in place, you can use audit to see whether your file is accessed or not by fail2ban.

I used auditctl -w /var/log/phpmyadmin_auth.log -p warx -k phpmyadmin_fail2ban

Related

Boot Debian while RAID array is degraded
Speeding up rsync over smb
Can Elastic Load Balancers correctly distribute traffic to different size instances
Nagios server best practices?
How to solve linux subdirectories number limit?
psexec: "Access is Denied"?
Using Firefox in Windows Domain Environment?
Finding how a hacked server was hacked
How to enable remote connections for SQL Server 2008?
Logging a "persons" activity in Linux
Account to read AD, join machine to domain, delete computer accounts and move computers to OUs
SSL Certificate errors in Captive Portals