I am not the OP... On Sat, 15 Feb 2020 at 13:30, Dudi Goldenberg <[email protected]> wrote:
> Exactly. > > > > Your previous mail says: > > > > failregex = ^<HOST> -.*(?:%(denied)s)$ > > But in the test command you have “from <HOST>$” at the line end, so it > works. > > > > Regards, > > > > Dudi > > > > *From:* Dominic Raferd [mailto:[email protected]] > *Sent:* Saturday, February 15, 2020 15:16 > *To:* fail2ban-users <[email protected]> > *Subject:* Re: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > > > It works for me - see here: > > # fail2ban-regex 'Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root > (mysql-denied) from 177.122.254.10' 'user denied: \S* > \((mysql|allow|root|empty)-denied\) from <HOST>$' > > Running tests > ============= > > Use failregex line : user denied: \S* > \((mysql|allow|rooy|empty)-denied... > Use single line : Feb 14 21:48:06 www phpMyAdmin[3981]: user > denied:... > > > Results > ======= > > Failregex: 1 total > |- #) [# of hits] regular expression > | 1) [1] user denied: \S* \((mysql|allow|rooy|empty)-denied\) from > <HOST>$ > `- > > Ignoreregex: 0 total > > Date template hits: > |- [# of hits] date format > | [1] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: > ExYear)? > `- > > Lines: 1 lines, 0 ignored, 1 matched, 0 missed > > > > On Sat, 15 Feb 2020 at 11:29, Henrique Fagundes < > [email protected]> wrote: > > Hi friend > > I tried to use the "failregex" rule that you indicated. Unfortunately it > didn't work! Is there anything else I can try? > > I'm grateful! > > ---- Ativado Sáb, 15 fev 2020 05:37:26 -0300 Dominic Raferd < > [email protected]> escreveu ---- > > > > > > On Sat, 15 Feb 2020 at 01:54, Henrique Fagundes < > [email protected]> wrote: > > > > Try replacing your failregex line with this:failregex = user denied: > \S* \((mysql|allow|root|empty)-denied\) from <HOST>$ > > It does not use the 'denied' variable (so that line could be removed > from your filter file). It would be better if it was defined with an anchor > (and matching text/variables) at the front of the regex but it is probably > good enough for your purposes, the risk of resulting FPs is small I think. > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > Dear Colleagues, > > > > I begin by apologizing for any communication error, as I am Brazilian > and I still try to adapt with the English language. > > > > I'm having a hard time getting Fail2Ban to work on phpmyadmin. > > > > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2. > > My PhpMyAdmin is version 4.9.0.1. > > > > I noticed that PhpMyAdmin logs login failures in the “/var/log/ secure” > file. > > > > And he has an output like this: > > > > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) > from 177.122.254.10 > > Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied) > from 177.122.254.10 > > Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied) > from 177.122.254.10 > > Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) > from 177.122.254.10 > > > > So, I configured my “/etc/fail2ban/jail.conf” like this: > > > > [phpmyadmin] > > enabled = true > > port = http,https > > filter = phpmyadmin > > action = iptables-multiport[name=phpmyadmin, port="http,https", > protocol=tcp] > > sendmail-whois[name=PHPMYADMIN, [email protected]] > > logpath = /var/log/secure > > maxretry = 3 > > > > And the filter configuration file > (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this: > > > > [Definition] > > denied = mysql-denied|allow-denied|root-denied|empty-denied > > failregex = ^<HOST> -.*(?:%(denied)s)$ > > ignoreregex = > > > > I believe I am not able to correctly form the expression, as Fail2Ban > is not blocking at all. > > > > Could someone help me in this matter? > > > > I'll be very grateful. > > > >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
