#1449 Syslog authentication requests / brute-force protection

Needs_decision
open
nobody
Normal
2015-02-15
2013-08-07
Palewolf
No

Currently phpMyAdmin lacks means to protect against brute-force attacks, which poses a security risk.

Since most most users are on Linux (but this solution could work on other platforms too), i would like to propose logging authentication processes to syslog. Then sysadmins could easily implement reactive protections, such as a fail2ban filter, denyhosts, etc... and there's no need for phpMyAdmin to implement any banning mechanism and reinvent the wheel.

As an example, the setup i'm currently using is sending a line to syslog on failed accesses on libraries/auth/cookie.auth.lib.php, with:

syslog(LOG_AUTHPRIV, 'phpMyAdmin(cookie): wrong credentials from ' . $_SERVER['REMOTE_ADDR']);

Then i have a fail2ban filter that processes /var/log/secure and bans reincident offenders.

I propose to:
A) Add a configuration to control wether to send those messages to syslog or not
B) Log all activity to syslog, so that there's a log of failed/successful logins and sysadmin can act on it

Going one step further, configuration could be a int (loglevel) or string (log file path).

Discussion

  • Peter

    Peter - 2014-09-14

    I found a patch for it, attached.

     
  • Marc Delisle

    Marc Delisle - 2014-09-16

    Peter,
    who is the author of this patch?

     
  • Peter

    Peter - 2014-09-21

    It's used in a web hosting control panel, patch is open source and could be used in phpMyAdmin code. Author: JMBC software.

     
  • Marc Delisle

    Marc Delisle - 2015-02-15
    • Priority: 5 --> Normal
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks