Hi, <HOST> should appear last in the regex, as it is last in the log line.
Try this: failregex = ^%(__prefix_line)suser denied: .* <HOST> I tested this with fail2ban-regex and it matches. Regards, Dudi -----Original Message----- From: Henrique Fagundes [mailto:[email protected]] Sent: Saturday, February 15, 2020 3:34 To: fail2ban-users <[email protected]> Subject: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin Dear Colleagues, I begin by apologizing for any communication error, as I am Brazilian and I still try to adapt with the English language. I'm having a hard time getting Fail2Ban to work on phpmyadmin. I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2. My PhpMyAdmin is version 4.9.0.1. I noticed that PhpMyAdmin logs login failures in the “/var/log/ secure” file. And he has an output like this: Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from 177.122.254.10 So, I configured my “/etc/fail2ban/jail.conf” like this: [phpmyadmin] enabled = true port = http,https filter = phpmyadmin action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] sendmail-whois[name=PHPMYADMIN, [email protected]] logpath = /var/log/secure maxretry = 3 And the filter configuration file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this: [Definition] denied = mysql-denied|allow-denied|root-denied|empty-denied failregex = ^<HOST> -.*(?:%(denied)s)$ ignoreregex = I believe I am not able to correctly form the expression, as Fail2Ban is not blocking at all. Could someone help me in this matter? I'll be very grateful. _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
