On Sat, 15 Feb 2020 at 01:54, Henrique Fagundes <[email protected]> wrote:
> Dear Colleagues, > > I begin by apologizing for any communication error, as I am Brazilian and > I still try to adapt with the English language. > > I'm having a hard time getting Fail2Ban to work on phpmyadmin. > > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2. > My PhpMyAdmin is version 4.9.0.1. > > I noticed that PhpMyAdmin logs login failures in the “/var/log/ secure” > file. > > And he has an output like this: > > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) > from 177.122.254.10 > Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied) > from 177.122.254.10 > Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied) > from 177.122.254.10 > Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) > from 177.122.254.10 > > So, I configured my “/etc/fail2ban/jail.conf” like this: > > [phpmyadmin] > enabled = true > port = http,https > filter = phpmyadmin > action = iptables-multiport[name=phpmyadmin, port="http,https", > protocol=tcp] > sendmail-whois[name=PHPMYADMIN, [email protected]] > logpath = /var/log/secure > maxretry = 3 > > And the filter configuration file > (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this: > > [Definition] > denied = mysql-denied|allow-denied|root-denied|empty-denied > failregex = ^<HOST> -.*(?:%(denied)s)$ > ignoreregex = > > I believe I am not able to correctly form the expression, as Fail2Ban is > not blocking at all. > > Could someone help me in this matter? > > I'll be very grateful. > Try replacing your failregex line with this: failregex = user denied: \S* \((mysql|allow|root|empty)-denied\) from <HOST>$ It does not use the 'denied' variable (so that line could be removed from your filter file). It would be better if it was defined with an anchor (and matching text/variables) at the front of the regex but it is probably good enough for your purposes, the risk of resulting FPs is small I think.
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
