#1449 Syslog authentication requests / brute-force protection
Currently phpMyAdmin lacks means to protect against brute-force attacks, which poses a security risk.
Since most most users are on Linux (but this solution could work on other platforms too), i would like to propose logging authentication processes to syslog. Then sysadmins could easily implement reactive protections, such as a fail2ban filter, denyhosts, etc... and there's no need for phpMyAdmin to implement any banning mechanism and reinvent the wheel.
As an example, the setup i'm currently using is sending a line to syslog on failed accesses on libraries/auth/cookie.auth.lib.php, with:
syslog(LOG_AUTHPRIV, 'phpMyAdmin(cookie): wrong credentials from ' . $_SERVER['REMOTE_ADDR']);
Then i have a fail2ban filter that processes /var/log/secure and bans reincident offenders.
I propose to:
A) Add a configuration to control wether to send those messages to syslog or not
B) Log all activity to syslog, so that there's a log of failed/successful logins and sysadmin can act on it
Going one step further, configuration could be a int (loglevel) or string (log file path).
This is interesting: http://serverfault.com/a/435019/67211
I found a patch for it, attached.
Peter,
who is the author of this patch?
It's used in a web hosting control panel, patch is open source and could be used in phpMyAdmin code. Author: JMBC software.