Friend,
Unfortunately, the rule you gave me didn't work!
The log file is /var/ log /secure.
I ran the command below:
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/phpmyadmin.conf
That was the way out:
Running tests
=============
Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban
Use log file : /var/log/secure
Use encoding : UTF-8
Results
=======
Failregex: 182 total
|- #) [# of hits] regular expression
| 1) [182] user denied: .+ from <HOST>\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [772] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?:
ExYear)?
`-
Lines: 772 lines, 0 ignored, 182 matched, 590 missed
[processed in 0.08 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 590
lines
Is there anything else I can do to resolve the issue?
---- Ativado Sáb, 15 fev 2020 10:07:12 -0300 Dudi Goldenberg
<[email protected]> escreveu ----
> Hi,
>
> You should edit /etc/fail2ban/filter.d/phpmyadmin.conf and modify the
> failregex line to read:
>
> failregex = user denied: .+ from <HOST>\s*$
>
> The tst is a file I created with the log lines in it for testing...
>
> After you modify phpmyadmin.conf this should work and show matches:
>
> fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/phpmyadmin.conf
>
> Make sure you insert the real path to the log file instead of
> /path/to/logfile.
>
> Regards,
>
> Dudi
>
> -----Original Message-----
> From: Henrique Fagundes [mailto:[email protected]]
> Sent: Saturday, February 15, 2020 13:26
> To: Dudi Goldenberg <[email protected]>
> Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin
>
> Friend,
>
> Good Morning! Thanks for answering!
> I tested his regular expression and it didn't work, unfortunately.
>
> The output of my command was like this:
>
> [root@www ~]# fail2ban-regex tst /etc/fail2ban/filter.d/phpmyadmin.conf
>
> Running tests
> =============
>
> Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban
> Use single line : tst
>
>
> Results
> =======
>
> Failregex: 0 total
>
> Ignoreregex: 0 total
>
> Date template hits:
>
> Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.05 sec]
>
> |- Missed line(s):
> | tst
> `-
>
> Is there anything else I can do to resolve this issue?
>
> I am grateful!
>
>
>
> Atenciosamente,
>
> Henrique Fagundes
> Analista de Suporte Linux
> [email protected]
> Skype: magnata-br-rj
> Linux User: 475399
>
> https://www.aprendendolinux.com
> https://www.facebook.com/AprendendoLinux
> https://youtube.com/AprendendoLinux
> https://twitter.com/AprendendoLinux
> https://t.me/AprendendoLinux
> https://t.me/GrupoAprendendoLinux
> ______________________________________________________________________
> Participe do Grupo Aprendendo Linux
> https://listas.aprendendolinux.com/listinfo/aprendendolinux
>
> Ou envie um e-mail para:
> [email protected]
>
>
> ---- Ativado Sáb, 15 fev 2020 05:24:41 -0300 Dudi Goldenberg
> <[email protected]> escreveu ---- > HI, > > I pasted the wrong line....
> sorry.
> >
> > This works:
> >
> > failregex = user denied: .+ from <HOST>\s*$ > > =========== > >
> root@mail:~# fail2ban-regex tst /etc/fail2ban/filter.d/test.conf > >
> Running tests > ============= >
> > Use failregex file : /etc/fail2ban/filter.d/webmin-auth.conf
> > Use log file : tst
> >
> >
> > Results
> > =======
> >
> > Failregex: 1 total
> > |- #) [# of hits] regular expression
> > | 4) [1] user denied: .+ from <HOST>\s*$
> > `-
> >
> > Ignoreregex: 0 total
> >
> > Date template hits:
> > |- [# of hits] date format
> > | [1] MONTH Day Hour:Minute:Second
> > `-
> >
> > Lines: 1 lines, 0 ignored, 1 matched, 0 missed > > Regards, > > Dudi
> > > > -----Original Message----- > From: Henrique Fagundes
> [mailto:[email protected]]
> > Sent: Saturday, February 15, 2020 3:34 > To: fail2ban-users
> <[email protected]>
> > Subject: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > Dear
> Colleagues, > > I begin by apologizing for any communication error, as I
> am Brazilian and I still try to adapt with the English language.
> >
> > I'm having a hard time getting Fail2Ban to work on phpmyadmin.
> >
> > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2.
> > My PhpMyAdmin is version 4.9.0.1.
> >
> > I noticed that PhpMyAdmin logs login failures in the “/var/log/ secure”
> file.
> >
> > And he has an output like this:
> >
> > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied)
> from 177.122.254.10 Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root
> (mysql-denied) from 177.122.254.10 Feb 14 21:42:09 www phpMyAdmin[3982]:
> user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:48:06 www
> phpMyAdmin[3981]: user denied: root (mysql-denied) from 177.122.254.10 > >
> So, I configured my “/etc/fail2ban/jail.conf” like this:
> >
> > [phpmyadmin]
> > enabled = true
> > port = http,https
> > filter = phpmyadmin
> > action = iptables-multiport[name=phpmyadmin, port="http,https",
> protocol=tcp] sendmail-whois[name=PHPMYADMIN, [email protected]]
> logpath = /var/log/secure maxretry = 3 > > And the filter configuration
> file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this:
> >
> > [Definition]
> > denied = mysql-denied|allow-denied|root-denied|empty-denied
> > failregex = ^<HOST> -.*(?:%(denied)s)$ > ignoreregex = > > I believe I
> am not able to correctly form the expression, as Fail2Ban is not blocking at
> all.
> >
> > Could someone help me in this matter?
> >
> > I'll be very grateful.
> >
> >
> > _______________________________________________
> > Fail2ban-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >
>
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
