Custom fail2ban Filter

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Michael Robinson on Server Fault See other posts from Server Fault or by Michael Robinson
Published on 2012-10-05T00:31:12Z Indexed on 2012/10/05 3:40 UTC
Read the original article Hit count: 585

Filed under:
|
|

In my quest to block excessive failed phpMyAdmin login attempts with fail2ban, I've created a script that logs said failed attempts to a file: /var/log/phpmyadmin_auth.log

Custom log

The format of the /var/log/phpmyadmin_auth.log file is:

phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php
phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php

Custom filter

[Definition]

# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;

phpMyAdmin jail

[phpmyadmin]

enabled  = true
port    = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 6

The fail2ban log contains:

2012-10-04 10:52:22,756 fail2ban.server : INFO   Stopping all jails
2012-10-04 10:52:23,091 fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
2012-10-04 10:52:23,866 fail2ban.jail   : INFO   Jail 'fail2ban' stopped
2012-10-04 10:52:23,994 fail2ban.jail   : INFO   Jail 'ssh' stopped
2012-10-04 10:52:23,994 fail2ban.server : INFO   Exiting Fail2ban
2012-10-04 10:52:24,253 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-10-04 10:52:24,253 fail2ban.jail   : INFO   Creating new jail 'ssh'
2012-10-04 10:52:24,253 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2012-10-04 10:52:24,260 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-10-04 10:52:24,260 fail2ban.filter : INFO   Set maxRetry = 6
2012-10-04 10:52:24,261 fail2ban.filter : INFO   Set findtime = 600
2012-10-04 10:52:24,261 fail2ban.actions: INFO   Set banTime = 600
2012-10-04 10:52:24,279 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2012-10-04 10:52:24,279 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses poller
2012-10-04 10:52:24,279 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-10-04 10:52:24,280 fail2ban.filter : INFO   Set maxRetry = 5
2012-10-04 10:52:24,280 fail2ban.filter : INFO   Set findtime = 600
2012-10-04 10:52:24,280 fail2ban.actions: INFO   Set banTime = 600
2012-10-04 10:52:24,287 fail2ban.jail   : INFO   Creating new jail 'fail2ban'
2012-10-04 10:52:24,287 fail2ban.jail   : INFO   Jail 'fail2ban' uses poller
2012-10-04 10:52:24,287 fail2ban.filter : INFO   Added logfile = /var/log/fail2ban.log
2012-10-04 10:52:24,287 fail2ban.filter : INFO   Set maxRetry = 3
2012-10-04 10:52:24,288 fail2ban.filter : INFO   Set findtime = 604800
2012-10-04 10:52:24,288 fail2ban.actions: INFO   Set banTime = 604800
2012-10-04 10:52:24,292 fail2ban.jail   : INFO   Jail 'ssh' started
2012-10-04 10:52:24,293 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2012-10-04 10:52:24,297 fail2ban.jail   : INFO   Jail 'fail2ban' started

When I issue:

sudo service fail2ban restart

fail2ban emails me to say ssh has restarted, but I receive no such email about my phpmyadmin jail. Repeated failed logins to phpMyAdmin does not cause an email to be sent.

Have I missed some critical setup? Is my filter's regular expression wrong?

Update: added changes from default installation

Starting with a clean fail2ban installation:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Change email address to my own, action to:

action = %(action_mwl)s

Append the following to jail.local

[phpmyadmin]

enabled  = true
port     = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 4

Add the following to /etc/fail2ban/filter.d/phpmyadmin.conf

# phpmyadmin configuration file
#
# Author: Michael Robinson
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#

# Ignore our own bans, to keep our counts exact.
# In your config, name your jail 'fail2ban', or change this line!
ignoreregex =

Restart fail2ban

sudo service fail2ban restart

PS: I like eggs

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about security

Related posts about configuration

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle