Well, According to the test it did work:
Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in 0.08 sec] So you have 182 matches. Regards, Dudi -----Original Message----- From: Henrique Fagundes [mailto:[email protected]] Sent: Saturday, February 15, 2020 15:28 To: Dudi Goldenberg <[email protected]> Cc: Fail2ban Users <[email protected]> Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin Friend, Unfortunately, the rule you gave me didn't work! The log file is /var/ log /secure. I ran the command below: fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/phpmyadmin.conf That was the way out: Running tests ============= Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban Use log file : /var/log/secure Use encoding : UTF-8 Results ======= Failregex: 182 total |- #) [# of hits] regular expression | 1) [182] user denied: .+ from <HOST>\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [772] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `- Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in 0.08 sec] Missed line(s): too many to print. Use --print-all-missed to print all 590 lines Is there anything else I can do to resolve the issue? ---- Ativado Sáb, 15 fev 2020 10:07:12 -0300 Dudi Goldenberg <[email protected]> escreveu ---- > Hi, > > You should edit /etc/fail2ban/filter.d/phpmyadmin.conf and modify the failregex line to read: > > failregex = user denied: .+ from <HOST>\s*$ > > The tst is a file I > created with the log lines in it for testing... > > After you modify phpmyadmin.conf this should work and show matches: > > fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/phpmyadmin.conf > > Make sure you insert the real path to the log file instead of > /path/to/logfile. > > Regards, > > Dudi > > -----Original Message----- > From: Henrique Fagundes [mailto:[email protected]] > Sent: Saturday, February 15, 2020 13:26 > To: Dudi Goldenberg > <[email protected]> > Subject: RE: [Fail2ban-users] Help with Fail2Ban on > PhpMyAdmin > > Friend, > > Good Morning! Thanks for answering! > I tested his regular expression and it didn't work, unfortunately. > > The output of my command was like this: > > [root@www ~]# fail2ban-regex tst /etc/fail2ban/filter.d/phpmyadmin.conf > > Running tests > ============= > > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban > Use single line : tst > > > Results > ======= > > Failregex: 0 total > > Ignoreregex: 0 total > > Date template hits: > > Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.05 sec] > > > |- Missed line(s): > | tst > `- > > Is there anything else I can do to resolve this issue? > > I am grateful! > > > > Atenciosamente, > > Henrique Fagundes > Analista de Suporte Linux > [email protected] > Skype: magnata-br-rj > Linux User: 475399 > > https://www.aprendendolinux.com > https://www.facebook.com/AprendendoLinux > https://youtube.com/AprendendoLinux > https://twitter.com/AprendendoLinux > https://t.me/AprendendoLinux > https://t.me/GrupoAprendendoLinux > ______________________________________________________________________ > Participe do Grupo Aprendendo Linux > https://listas.aprendendolinux.com/listinfo/aprendendolinux > > Ou envie um e-mail para: > [email protected] > > > ---- Ativado Sáb, 15 fev 2020 05:24:41 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > HI, > > I pasted the wrong line.... > sorry. > > > > This works: > > > > failregex = user denied: .+ from <HOST>\s*$ > > =========== > > > root@mail:~# fail2ban-regex tst /etc/fail2ban/filter.d/test.conf > > > Running tests > ============= > > > Use failregex file : /etc/fail2ban/filter.d/webmin-auth.conf > > Use log file : tst > > > > > > Results > > ======= > > > > Failregex: 1 total > > |- #) [# of hits] regular expression > > | 4) [1] user denied: .+ from <HOST>\s*$ > > `- > > > > Ignoreregex: 0 total > > > > Date template hits: > > |- [# of hits] date format > > | [1] MONTH Day Hour:Minute:Second > > `- > > > > Lines: 1 lines, > 0 ignored, 1 matched, 0 missed > > Regards, > > Dudi > > > > -----Original Message----- > From: Henrique Fagundes > [mailto:[email protected]] > > Sent: Saturday, February 15, 2020 3:34 > To: fail2ban-users > <[email protected]> > > Subject: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > Dear > Colleagues, > > I begin by apologizing for any communication error, as I > am Brazilian and I still try to adapt with the English language. > > > > I'm having a hard time getting Fail2Ban to work on phpmyadmin. > > > > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2. > > My PhpMyAdmin is version 4.9.0.1. > > > > I noticed that PhpMyAdmin logs login failures in the “/var/log/ secure” > file. > > > > And he has an output like this: > > > > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) > from 177.122.254.10 Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root > (mysql-denied) from 177.122.254.10 Feb 14 21:42:09 www phpMyAdmin[3982]: > user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:48:06 www > phpMyAdmin[3981]: user denied: root (mysql-denied) from 177.122.254.10 > > > So, I configured my “/etc/fail2ban/jail.conf” like this: > > > > [phpmyadmin] > > enabled = true > > port = http,https > > filter = phpmyadmin > > action = iptables-multiport[name=phpmyadmin, port="http,https", > protocol=tcp] sendmail-whois[name=PHPMYADMIN, [email protected]] > logpath = /var/log/secure maxretry = 3 > > And the filter configuration > file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this: > > > > [Definition] > > denied = mysql-denied|allow-denied|root-denied|empty-denied > > failregex = ^<HOST> -.*(?:%(denied)s)$ > ignoreregex = > > I believe I > am not able to correctly form the expression, as Fail2Ban is not blocking at > all. > > > > Could someone help me in this matter? > > > > I'll be very grateful. > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
