Hi, The regex is fine for the log lines that you showed.
Try to go over the rest of the jail and verify that its properly configured. Regards, Dudi -----Original Message----- From: Henrique Fagundes [mailto:[email protected]] Sent: Saturday, February 15, 2020 15:45 To: Dudi Goldenberg <[email protected]> Cc: Fail2ban Users <[email protected]> Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin Friend, In practice, it doesn't work! I am purposely missing the logins and does not block. I did a test with FTP and it blocks normally. I don't know what's going on. ---- Ativado Sáb, 15 fev 2020 10:32:34 -0300 Dudi Goldenberg <[email protected]> escreveu ---- > Well, > > According to the test it did work: > > Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in 0.08 sec] > > > So you have 182 matches. > > Regards, > > Dudi > > -----Original Message----- > From: Henrique Fagundes [mailto:[email protected]] > Sent: Saturday, February 15, 2020 15:28 > To: Dudi Goldenberg > <[email protected]> > Cc: Fail2ban Users > <[email protected]> > Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > Friend, > > > Unfortunately, the rule you gave me didn't work! > > The log file is /var/ log /secure. > > I ran the command below: > > fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/phpmyadmin.conf > > That was the way out: > > Running tests > ============= > > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban > Use log file : /var/log/secure > Use encoding : UTF-8 > > > Results > ======= > > Failregex: 182 total > |- #) [# of hits] regular expression > | 1) [182] user denied: .+ from <HOST>\s*$ > `- > > Ignoreregex: 0 total > > Date template hits: > |- [# of hits] date format > | [772] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: > ExYear)? > `- > > Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in 0.08 sec] > > > Missed line(s): too many to print. Use --print-all-missed to print > all 590 lines > > Is there anything else I can do to resolve the issue? > > ---- Ativado Sáb, 15 fev 2020 10:07:12 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > Hi, > > You should edit > /etc/fail2ban/filter.d/phpmyadmin.conf and modify the failregex line to read: > > > > failregex = user denied: .+ from <HOST>\s*$ > > The tst is a file I > created with the log lines in it for testing... > > > > After you modify phpmyadmin.conf this should work and show matches: > > > > fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/phpmyadmin.conf > > > > Make sure you insert the real path to the log file instead of > /path/to/logfile. > > > > Regards, > > > > Dudi > > > > -----Original Message----- > > From: Henrique Fagundes [mailto:[email protected]] > > Sent: Saturday, February 15, 2020 13:26 > To: Dudi Goldenberg > <[email protected]> > Subject: RE: [Fail2ban-users] Help with Fail2Ban on > PhpMyAdmin > > Friend, > > Good Morning! Thanks for answering! > > I tested his regular expression and it didn't work, unfortunately. > > > > The output of my command was like this: > > > > [root@www ~]# fail2ban-regex tst /etc/fail2ban/filter.d/phpmyadmin.conf > > > > Running tests > > ============= > > > > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban > > Use single line : tst > > > > > > Results > > ======= > > > > Failregex: 0 total > > > > Ignoreregex: 0 total > > > > Date template hits: > > > > Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.05 sec] > > > |- Missed line(s): > > | tst > > `- > > > > Is there anything else I can do to resolve this issue? > > > > I am grateful! > > > > > > > > Atenciosamente, > > > > Henrique Fagundes > > Analista de Suporte Linux > > [email protected] > > Skype: magnata-br-rj > > Linux User: 475399 > > > > https://www.aprendendolinux.com > > https://www.facebook.com/AprendendoLinux > > https://youtube.com/AprendendoLinux > > https://twitter.com/AprendendoLinux > > https://t.me/AprendendoLinux > > https://t.me/GrupoAprendendoLinux > > ______________________________________________________________________ > > Participe do Grupo Aprendendo Linux > > > https://listas.aprendendolinux.com/listinfo/aprendendolinux > > > > Ou envie um e-mail para: > > [email protected] > > > > > > ---- Ativado Sáb, 15 fev 2020 05:24:41 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > HI, > > I pasted the wrong line.... > sorry. > > > > > > This works: > > > > > > failregex = user denied: .+ from <HOST>\s*$ > > =========== > > > root@mail:~# fail2ban-regex tst /etc/fail2ban/filter.d/test.conf > > > Running tests > ============= > > > > Use failregex file : /etc/fail2ban/filter.d/webmin-auth.conf > > > Use log file : tst > > > > > > > > > Results > > > ======= > > > > > > Failregex: 1 total > > > |- #) [# of hits] regular expression > > > | 4) [1] user denied: .+ from <HOST>\s*$ > > > `- > > > > > > Ignoreregex: 0 total > > > > > > Date template hits: > > > |- [# of hits] date format > > > | [1] MONTH Day Hour:Minute:Second > > `- > > > > Lines: 1 > lines, 0 ignored, 1 matched, 0 missed > > Regards, > > Dudi > > > > -----Original Message----- > From: Henrique Fagundes > [mailto:[email protected]] > > > Sent: Saturday, February 15, 2020 3:34 > To: fail2ban-users > <[email protected]> > > > Subject: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > Dear > Colleagues, > > I begin by apologizing for any communication error, as I > am Brazilian and I still try to adapt with the English language. > > > > > > I'm having a hard time getting Fail2Ban to work on phpmyadmin. > > > > > > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2. > > > My PhpMyAdmin is version 4.9.0.1. > > > > > > I noticed that PhpMyAdmin logs login failures in the “/var/log/ > secure” file. > > > > > > And he has an output like this: > > > > > > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) > from 177.122.254.10 Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root > (mysql-denied) from 177.122.254.10 Feb 14 21:42:09 www phpMyAdmin[3982]: > user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:48:06 www > phpMyAdmin[3981]: user denied: root (mysql-denied) from 177.122.254.10 > > > So, I configured my “/etc/fail2ban/jail.conf” like this: > > > > > > [phpmyadmin] > > > enabled = true > > > port = http,https > > > filter = phpmyadmin > > > action = iptables-multiport[name=phpmyadmin, port="http,https", > protocol=tcp] sendmail-whois[name=PHPMYADMIN, [email protected]] > logpath = /var/log/secure maxretry = 3 > > And the filter configuration > file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this: > > > > > > [Definition] > > > denied = mysql-denied|allow-denied|root-denied|empty-denied > > > failregex = ^<HOST> -.*(?:%(denied)s)$ > ignoreregex = > > I > believe I am not able to correctly form the expression, as Fail2Ban is not > blocking at all. > > > > > > Could someone help me in this matter? > > > > > > I'll be very grateful. > > > > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
