Menu
▾
▴
Re: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin
|
From: Henrique F. <su...@ap...> - 2020-02-15 14:21:53
|
Friend,
Follow my /etc/fail2ban/jail.conf settings:
[INCLUDES]
before = paths-fedora.conf
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime = -1
findtime = 3600
maxretry = 3
backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
destemail = su...@cn...
sender = clu...@cn...
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action = %(action_)s
[sshd]
port = 17169
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[sshd-ddos]
port = 17169
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[dropbear]
port = 17169
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s
[selinux-ssh]
port = 17169
logpath = %(auditd_log)s
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
#sendmail-whois[name=PHPMYADMIN, des...@cn...]
logpath = /var/log/secure
maxretry = 3
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
action = iptables-multiport[name=apache-auth, port="http,https", protocol=tcp]
#sendmail-whois[name=APACHE, des...@cn...]
logpath = /var/log/httpd/*/*_error.log
maxretry = 3
[drupal-comment]
enabled = true
port = http,https
filter = drupal-comment
action = iptables-multiport[name=drupal-comment, port="http,https", protocol=tcp]
#sendmail-whois[name=DRUPAL, des...@cn...]
logpath = /var/log/messages
maxretry = 3
[drupal-auth]
enabled = true
port = http,https
filter = drupal-auth
action = iptables-multiport[name=drupal-auth, port="http,https", protocol=tcp]
#sendmail-whois[name=DRUPAL, des...@cn...]
logpath = /var/log/messages
maxretry = 3
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
action = iptables-multiport[name=apache-noscript, port="http,https", protocol=tcp]
#sendmail-whois[name=APACHE, des...@cn...]
logpath = /var/log/httpd/*/*_error.log
maxretry = 3
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
action = iptables-multiport[name=apache-overflows, port="http,https", protocol=tcp]
#sendmail-whois[name=APACHE, des...@cn...]
logpath = /var/log/httpd/*/*_error.log
maxretry = 3
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
action = iptables-multiport[name=apache-badbots, port="http,https", protocol=tcp]
#sendmail-whois[name=APACHE, des...@cn...]
logpath = /var/log/httpd/*/*_error.log
maxretry = 3
[openhab-auth]
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log
[nginx-http-auth]
port = http,https
logpath = %(nginx_error_log)s
[nginx-limit-req]
port = http,https
logpath = %(nginx_error_log)s
[nginx-botsearch]
port = http,https
logpath = %(nginx_error_log)s
maxretry = 2
[php-url-fopen]
port = http,https
logpath = %(nginx_access_log)s
%(apache_access_log)s
[suhosin]
port = http,https
logpath = %(suhosin_log)s
[lighttpd-auth]
port = http,https
logpath = %(lighttpd_error_log)s
[roundcube-auth]
port = http,https
logpath = %(roundcube_errors_log)s
[openwebmail]
port = http,https
logpath = /var/log/openwebmail.log
[horde]
port = http,https
logpath = /var/log/horde/horde.log
[groupoffice]
port = http,https
logpath = /home/groupoffice/log/info.log
[sogo-auth]
port = http,https
logpath = /var/log/sogo/sogo.log
[tine20]
logpath = /var/log/tine20/tine20.log
port = http,https
#[drupal-auth]
#port = http,https
#logpath = %(syslog_daemon)s
#backend = %(syslog_backend)s
[guacamole]
port = http,https
logpath = /var/log/tomcat*/catalina.out
[monit]
port = 2812
logpath = /var/log/monit
[webmin-auth]
port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[froxlor-auth]
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[squid]
port = 80,443,3128,8080
logpath = /var/log/squid/access.log
[3proxy]
port = 3128
logpath = /var/log/3proxy.log
[pure-ftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
backend = %(pureftpd_backend)s
[gssftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[wuftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(wuftpd_log)s
backend = %(wuftpd_backend)s
[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
enable = true
action = iptables-multiport[name=vsftpd, port="ftp,ftp-data,ftps,ftps-data", protocol=tcp]
#sendmail-whois[name=fail2ban-vsftpd-bruteforce, des...@cn...]
maxretry = 3
[assp]
port = smtp,465,submission
logpath = /var/log/mail.log
[courier-smtp]
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
[sendmail-auth]
port = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[sendmail-reject]
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[qmail-rbl]
filter = qmail
port = smtp,465,submission
logpath = /service/qmail/log/main/current
[dovecot]
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[sieve]
port = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[solid-pop3d]
port = pop3,pop3s
logpath = %(solidpop3d_log)s
[exim]
port = smtp,465,submission
logpath = %(exim_main_log)s
[exim-spam]
port = smtp,465,submission
logpath = %(exim_main_log)s
[kerio]
port = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log
[courier-auth]
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix-sasl]
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[perdition]
port = imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[squirrelmail]
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap]
port = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[uwimap-auth]
port = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[named-refused]
port = domain,953
logpath = /var/log/named/security.log
[nsd]
port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log
[asterisk]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/freeswitch.log
maxretry = 10
[mysqld-auth]
port = 3306
logpath = %(mysql_log)s
backend = %(mysql_backend)s
[mongodb-auth]
port = 27017
logpath = /var/log/mongodb/mongodb.log
[recidive]
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
[pam-generic]
banaction = %(banaction_allports)s
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[xinetd-fail]
banaction = iptables-multiport-log
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
maxretry = 2
[stunnel]
logpath = /var/log/stunnel4/stunnel.log
[ejabberd-auth]
port = 5222
logpath = /var/log/ejabberd/ejabberd.log
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
[nagios]
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
backend = %(syslog_backend)s
maxretry = 1
[oracleims]
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s
[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222
[portsentry]
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1
[pass2allow-ftp]
port = ftp,ftp-data,ftps,ftps-data
knocking_url = /knocking/
filter = apache-pass[knocking_url="%(knocking_url)s"]
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
bantime = 3600
maxretry = 1
findtime = 1
[murmur]
port = 64738
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/mumble-server/mumble-server.log
[screensharingd]
logpath = /var/log/system.log
logencoding = utf-8
[haproxy-http-auth]
logpath = /var/log/haproxy.log
[slapd]
port = ldap,ldaps
filter = slapd
logpath = /var/log/slapd.log
Atenciosamente,
Henrique Fagundes
Analista de Suporte Linux
su...@ap...
Skype: magnata-br-rj
Linux User: 475399
https://www.aprendendolinux.com
https://www.facebook.com/AprendendoLinux
https://youtube.com/AprendendoLinux
https://twitter.com/AprendendoLinux
https://t.me/AprendendoLinux
https://t.me/GrupoAprendendoLinux
______________________________________________________________________
Participe do Grupo Aprendendo Linux
https://listas.aprendendolinux.com/listinfo/aprendendolinux
Ou envie um e-mail para:
apr...@li...
---- Ativado Sáb, 15 fev 2020 10:56:55 -0300 Dudi Goldenberg <du...@ko...> escreveu ----
> Hi,
>
> The regex is fine for the log lines that you showed.
>
> Try to go over the rest of the jail and verify that its properly configured.
>
> Regards,
>
> Dudi
>
> -----Original Message-----
> From: Henrique Fagundes [mailto:su...@ap...]
> Sent: Saturday, February 15, 2020 15:45
> To: Dudi Goldenberg <du...@ko...>
> Cc: Fail2ban Users <fai...@li...>
> Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin
>
> Friend,
>
> In practice, it doesn't work!
> I am purposely missing the logins and does not block.
>
> I did a test with FTP and it blocks normally.
> I don't know what's going on.
>
> ---- Ativado Sáb, 15 fev 2020 10:32:34 -0300 Dudi Goldenberg <du...@ko...> escreveu ---- > Well, > > According to the test it did work:
> >
> > Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in 0.08 sec] > > So you have 182 matches.
> >
> > Regards,
> >
> > Dudi
> >
> > -----Original Message-----
> > From: Henrique Fagundes [mailto:su...@ap...]
> > Sent: Saturday, February 15, 2020 15:28 > To: Dudi Goldenberg <du...@ko...> > Cc: Fail2ban Users <fai...@li...>
> > Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > Friend, > > Unfortunately, the rule you gave me didn't work!
> >
> > The log file is /var/ log /secure.
> >
> > I ran the command below:
> >
> > fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/phpmyadmin.conf
> >
> > That was the way out:
> >
> > Running tests
> > =============
> >
> > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban
> > Use log file : /var/log/secure
> > Use encoding : UTF-8
> >
> >
> > Results
> > =======
> >
> > Failregex: 182 total
> > |- #) [# of hits] regular expression
> > | 1) [182] user denied: .+ from <HOST>\s*$
> > `-
> >
> > Ignoreregex: 0 total
> >
> > Date template hits:
> > |- [# of hits] date format
> > | [772] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
> > `-
> >
> > Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in 0.08 sec] > > Missed line(s): too many to print. Use --print-all-missed to print all 590 lines > > Is there anything else I can do to resolve the issue?
> >
> > ---- Ativado Sáb, 15 fev 2020 10:07:12 -0300 Dudi Goldenberg <du...@ko...> escreveu ---- > Hi, > > You should edit /etc/fail2ban/filter.d/phpmyadmin.conf and modify the failregex line to read:
> > >
> > > failregex = user denied: .+ from <HOST>\s*$ > > The tst is a file I created with the log lines in it for testing...
> > >
> > > After you modify phpmyadmin.conf this should work and show matches:
> > >
> > > fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/phpmyadmin.conf
> > >
> > > Make sure you insert the real path to the log file instead of /path/to/logfile.
> > >
> > > Regards,
> > >
> > > Dudi
> > >
> > > -----Original Message-----
> > > From: Henrique Fagundes [mailto:su...@ap...]
> > > Sent: Saturday, February 15, 2020 13:26 > To: Dudi Goldenberg <du...@ko...> > Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > Friend, > > Good Morning! Thanks for answering!
> > > I tested his regular expression and it didn't work, unfortunately.
> > >
> > > The output of my command was like this:
> > >
> > > [root@www ~]# fail2ban-regex tst /etc/fail2ban/filter.d/phpmyadmin.conf
> > >
> > > Running tests
> > > =============
> > >
> > > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban
> > > Use single line : tst
> > >
> > >
> > > Results
> > > =======
> > >
> > > Failregex: 0 total
> > >
> > > Ignoreregex: 0 total
> > >
> > > Date template hits:
> > >
> > > Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.05 sec] > > |- Missed line(s):
> > > | tst
> > > `-
> > >
> > > Is there anything else I can do to resolve this issue?
> > >
> > > I am grateful!
> > >
> > >
> > >
> > > Atenciosamente,
> > >
> > > Henrique Fagundes
> > > Analista de Suporte Linux
> > > su...@ap...
> > > Skype: magnata-br-rj
> > > Linux User: 475399
> > >
> > > https://www.aprendendolinux.com
> > > https://www.facebook.com/AprendendoLinux
> > > https://youtube.com/AprendendoLinux
> > > https://twitter.com/AprendendoLinux
> > > https://t.me/AprendendoLinux
> > > https://t.me/GrupoAprendendoLinux
> > > ______________________________________________________________________
> > > Participe do Grupo Aprendendo Linux > > https://listas.aprendendolinux.com/listinfo/aprendendolinux
> > >
> > > Ou envie um e-mail para:
> > > apr...@li...
> > >
> > >
> > > ---- Ativado Sáb, 15 fev 2020 05:24:41 -0300 Dudi Goldenberg <du...@ko...> escreveu ---- > HI, > > I pasted the wrong line.... sorry.
> > > >
> > > > This works:
> > > >
> > > > failregex = user denied: .+ from <HOST>\s*$ > > =========== > > root@mail:~# fail2ban-regex tst /etc/fail2ban/filter.d/test.conf > > Running tests > ============= >
> > > > Use failregex file : /etc/fail2ban/filter.d/webmin-auth.conf
> > > > Use log file : tst
> > > >
> > > >
> > > > Results
> > > > =======
> > > >
> > > > Failregex: 1 total
> > > > |- #) [# of hits] regular expression
> > > > | 4) [1] user denied: .+ from <HOST>\s*$
> > > > `-
> > > >
> > > > Ignoreregex: 0 total
> > > >
> > > > Date template hits:
> > > > |- [# of hits] date format
> > > > | [1] MONTH Day Hour:Minute:Second > > `- > > > > Lines: 1 lines, 0 ignored, 1 matched, 0 missed > > Regards, > > Dudi > > > -----Original Message----- > From: Henrique Fagundes [mailto:su...@ap...]
> > > > Sent: Saturday, February 15, 2020 3:34 > To: fail2ban-users <fai...@li...>
> > > > Subject: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > Dear Colleagues, > > I begin by apologizing for any communication error, as I am Brazilian and I still try to adapt with the English language.
> > > >
> > > > I'm having a hard time getting Fail2Ban to work on phpmyadmin.
> > > >
> > > > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2.
> > > > My PhpMyAdmin is version 4.9.0.1.
> > > >
> > > > I noticed that PhpMyAdmin logs login failures in the “/var/log/ secure” file.
> > > >
> > > > And he has an output like this:
> > > >
> > > > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from 177.122.254.10 > > So, I configured my “/etc/fail2ban/jail.conf” like this:
> > > >
> > > > [phpmyadmin]
> > > > enabled = true
> > > > port = http,https
> > > > filter = phpmyadmin
> > > > action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] sendmail-whois[name=PHPMYADMIN, des...@sy...] logpath = /var/log/secure maxretry = 3 > > And the filter configuration file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this:
> > > >
> > > > [Definition]
> > > > denied = mysql-denied|allow-denied|root-denied|empty-denied
> > > > failregex = ^<HOST> -.*(?:%(denied)s)$ > ignoreregex = > > I believe I am not able to correctly form the expression, as Fail2Ban is not blocking at all.
> > > >
> > > > Could someone help me in this matter?
> > > >
> > > > I'll be very grateful.
> > > >
> > > >
> > > > _______________________________________________
> > > > Fail2ban-users mailing list
> > > > Fai...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> > > >
> > >
> >
>
|
