Friend, Follow my /etc/fail2ban/jail.conf settings:
[INCLUDES] before = paths-fedora.conf [DEFAULT] ignoreip = 127.0.0.1/8 ignorecommand = bantime = -1 findtime = 3600 maxretry = 3 backend = auto usedns = warn logencoding = auto enabled = false filter = %(__name__)s destemail = [email protected] sender = [email protected] mta = sendmail protocol = tcp chain = INPUT port = 0:65535 fail2ban_agent = Fail2Ban/%(fail2ban_version)s banaction = iptables-multiport banaction_allports = iptables-allports action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] action = %(action_)s [sshd] port = 17169 logpath = %(sshd_log)s backend = %(sshd_backend)s [sshd-ddos] port = 17169 logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] port = 17169 logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] port = 17169 logpath = %(auditd_log)s [phpmyadmin] enabled = true port = http,https filter = phpmyadmin action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] #sendmail-whois[name=PHPMYADMIN, [email protected]] logpath = /var/log/secure maxretry = 3 [apache-auth] enabled = true port = http,https filter = apache-auth action = iptables-multiport[name=apache-auth, port="http,https", protocol=tcp] #sendmail-whois[name=APACHE, [email protected]] logpath = /var/log/httpd/*/*_error.log maxretry = 3 [drupal-comment] enabled = true port = http,https filter = drupal-comment action = iptables-multiport[name=drupal-comment, port="http,https", protocol=tcp] #sendmail-whois[name=DRUPAL, [email protected]] logpath = /var/log/messages maxretry = 3 [drupal-auth] enabled = true port = http,https filter = drupal-auth action = iptables-multiport[name=drupal-auth, port="http,https", protocol=tcp] #sendmail-whois[name=DRUPAL, [email protected]] logpath = /var/log/messages maxretry = 3 [apache-noscript] enabled = true port = http,https filter = apache-noscript action = iptables-multiport[name=apache-noscript, port="http,https", protocol=tcp] #sendmail-whois[name=APACHE, [email protected]] logpath = /var/log/httpd/*/*_error.log maxretry = 3 [apache-overflows] enabled = true port = http,https filter = apache-overflows action = iptables-multiport[name=apache-overflows, port="http,https", protocol=tcp] #sendmail-whois[name=APACHE, [email protected]] logpath = /var/log/httpd/*/*_error.log maxretry = 3 [apache-badbots] enabled = true port = http,https filter = apache-badbots action = iptables-multiport[name=apache-badbots, port="http,https", protocol=tcp] #sendmail-whois[name=APACHE, [email protected]] logpath = /var/log/httpd/*/*_error.log maxretry = 3 [openhab-auth] filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log [nginx-http-auth] port = http,https logpath = %(nginx_error_log)s [nginx-limit-req] port = http,https logpath = %(nginx_error_log)s [nginx-botsearch] port = http,https logpath = %(nginx_error_log)s maxretry = 2 [php-url-fopen] port = http,https logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] port = http,https logpath = %(suhosin_log)s [lighttpd-auth] port = http,https logpath = %(lighttpd_error_log)s [roundcube-auth] port = http,https logpath = %(roundcube_errors_log)s [openwebmail] port = http,https logpath = /var/log/openwebmail.log [horde] port = http,https logpath = /var/log/horde/horde.log [groupoffice] port = http,https logpath = /home/groupoffice/log/info.log [sogo-auth] port = http,https logpath = /var/log/sogo/sogo.log [tine20] logpath = /var/log/tine20/tine20.log port = http,https #[drupal-auth] #port = http,https #logpath = %(syslog_daemon)s #backend = %(syslog_backend)s [guacamole] port = http,https logpath = /var/log/tomcat*/catalina.out [monit] port = 2812 logpath = /var/log/monit [webmin-auth] port = 10000 logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [squid] port = 80,443,3128,8080 logpath = /var/log/squid/access.log [3proxy] port = 3128 logpath = /var/log/3proxy.log [pure-ftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s enable = true action = iptables-multiport[name=vsftpd, port="ftp,ftp-data,ftps,ftps-data", protocol=tcp] #sendmail-whois[name=fail2ban-vsftpd-bruteforce, [email protected]] maxretry = 3 [assp] port = smtp,465,submission logpath = /var/log/mail.log [courier-smtp] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [sendmail-auth] port = submission,465,smtp logpath = %(syslog_mail)s backend = %(syslog_backend)s [sendmail-reject] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] filter = qmail port = smtp,465,submission logpath = /service/qmail/log/main/current [dovecot] port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] port = smtp,465,submission logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] port = pop3,pop3s logpath = %(solidpop3d_log)s [exim] port = smtp,465,submission logpath = %(exim_main_log)s [exim-spam] port = smtp,465,submission logpath = %(exim_main_log)s [kerio] port = imap,smtp,imaps,465 logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix-sasl] port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(postfix_log)s backend = %(postfix_backend)s [perdition] port = imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] port = imap3,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] port = imap3,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [named-refused] port = domain,953 logpath = /var/log/named/security.log [nsd] port = 53 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log [asterisk] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 10 [freeswitch] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/freeswitch.log maxretry = 10 [mysqld-auth] port = 3306 logpath = %(mysql_log)s backend = %(mysql_backend)s [mongodb-auth] port = 27017 logpath = /var/log/mongodb/mongodb.log [recidive] logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 604800 ; 1 week findtime = 86400 ; 1 day [pam-generic] banaction = %(banaction_allports)s logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [xinetd-fail] banaction = iptables-multiport-log logpath = %(syslog_daemon)s backend = %(syslog_backend)s maxretry = 2 [stunnel] logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] port = 5222 logpath = /var/log/ejabberd/ejabberd.log [counter-strike] logpath = /opt/cstrike/logs/L[0-9]*.log tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] [nagios] logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1 [oracleims] logpath = /opt/sun/comms/messaging64/log/mail.log_current banaction = %(banaction_allports)s [directadmin] logpath = /var/log/directadmin/login.log port = 2222 [portsentry] logpath = /var/lib/portsentry/portsentry.history maxretry = 1 [pass2allow-ftp] port = ftp,ftp-data,ftps,ftps-data knocking_url = /knocking/ filter = apache-pass[knocking_url="%(knocking_url)s"] logpath = %(apache_access_log)s blocktype = RETURN returntype = DROP bantime = 3600 maxretry = 1 findtime = 1 [murmur] port = 64738 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/mumble-server/mumble-server.log [screensharingd] logpath = /var/log/system.log logencoding = utf-8 [haproxy-http-auth] logpath = /var/log/haproxy.log [slapd] port = ldap,ldaps filter = slapd logpath = /var/log/slapd.log Atenciosamente, Henrique Fagundes Analista de Suporte Linux [email protected] Skype: magnata-br-rj Linux User: 475399 https://www.aprendendolinux.com https://www.facebook.com/AprendendoLinux https://youtube.com/AprendendoLinux https://twitter.com/AprendendoLinux https://t.me/AprendendoLinux https://t.me/GrupoAprendendoLinux ______________________________________________________________________ Participe do Grupo Aprendendo Linux https://listas.aprendendolinux.com/listinfo/aprendendolinux Ou envie um e-mail para: [email protected] ---- Ativado Sáb, 15 fev 2020 10:56:55 -0300 Dudi Goldenberg <[email protected]> escreveu ---- > Hi, > > The regex is fine for the log lines that you showed. > > Try to go over the rest of the jail and verify that its properly configured. > > Regards, > > Dudi > > -----Original Message----- > From: Henrique Fagundes [mailto:[email protected]] > Sent: Saturday, February 15, 2020 15:45 > To: Dudi Goldenberg <[email protected]> > Cc: Fail2ban Users <[email protected]> > Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > Friend, > > In practice, it doesn't work! > I am purposely missing the logins and does not block. > > I did a test with FTP and it blocks normally. > I don't know what's going on. > > ---- Ativado Sáb, 15 fev 2020 10:32:34 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > Well, > > According to the test it did > work: > > > > Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in 0.08 > sec] > > So you have 182 matches. > > > > Regards, > > > > Dudi > > > > -----Original Message----- > > From: Henrique Fagundes [mailto:[email protected]] > > Sent: Saturday, February 15, 2020 15:28 > To: Dudi Goldenberg > <[email protected]> > Cc: Fail2ban Users > <[email protected]> > > Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > > Friend, > > Unfortunately, the rule you gave me didn't work! > > > > The log file is /var/ log /secure. > > > > I ran the command below: > > > > fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/phpmyadmin.conf > > > > That was the way out: > > > > Running tests > > ============= > > > > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban > > Use log file : /var/log/secure > > Use encoding : UTF-8 > > > > > > Results > > ======= > > > > Failregex: 182 total > > |- #) [# of hits] regular expression > > | 1) [182] user denied: .+ from <HOST>\s*$ > > `- > > > > Ignoreregex: 0 total > > > > Date template hits: > > |- [# of hits] date format > > | [772] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: > ExYear)? > > `- > > > > Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in 0.08 > sec] > > Missed line(s): too many to print. Use --print-all-missed to > print all 590 lines > > Is there anything else I can do to resolve the > issue? > > > > ---- Ativado Sáb, 15 fev 2020 10:07:12 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > Hi, > > You should edit > /etc/fail2ban/filter.d/phpmyadmin.conf and modify the failregex line to read: > > > > > > failregex = user denied: .+ from <HOST>\s*$ > > The tst is a file I > created with the log lines in it for testing... > > > > > > After you modify phpmyadmin.conf this should work and show matches: > > > > > > fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/phpmyadmin.conf > > > > > > Make sure you insert the real path to the log file instead of > /path/to/logfile. > > > > > > Regards, > > > > > > Dudi > > > > > > -----Original Message----- > > > From: Henrique Fagundes [mailto:[email protected]] > > > Sent: Saturday, February 15, 2020 13:26 > To: Dudi Goldenberg > <[email protected]> > Subject: RE: [Fail2ban-users] Help with Fail2Ban on > PhpMyAdmin > > Friend, > > Good Morning! Thanks for answering! > > > I tested his regular expression and it didn't work, unfortunately. > > > > > > The output of my command was like this: > > > > > > [root@www ~]# fail2ban-regex tst /etc/fail2ban/filter.d/phpmyadmin.conf > > > > > > Running tests > > > ============= > > > > > > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban > > > Use single line : tst > > > > > > > > > Results > > > ======= > > > > > > Failregex: 0 total > > > > > > Ignoreregex: 0 total > > > > > > Date template hits: > > > > > > Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.05 sec] > > > |- Missed line(s): > > > | tst > > > `- > > > > > > Is there anything else I can do to resolve this issue? > > > > > > I am grateful! > > > > > > > > > > > > Atenciosamente, > > > > > > Henrique Fagundes > > > Analista de Suporte Linux > > > [email protected] > > > Skype: magnata-br-rj > > > Linux User: 475399 > > > > > > https://www.aprendendolinux.com > > > https://www.facebook.com/AprendendoLinux > > > https://youtube.com/AprendendoLinux > > > https://twitter.com/AprendendoLinux > > > https://t.me/AprendendoLinux > > > https://t.me/GrupoAprendendoLinux > > > ______________________________________________________________________ > > > Participe do Grupo Aprendendo Linux > > > https://listas.aprendendolinux.com/listinfo/aprendendolinux > > > > > > Ou envie um e-mail para: > > > [email protected] > > > > > > > > > ---- Ativado Sáb, 15 fev 2020 05:24:41 -0300 Dudi Goldenberg > <[email protected]> escreveu ---- > HI, > > I pasted the wrong line.... > sorry. > > > > > > > > This works: > > > > > > > > failregex = user denied: .+ from <HOST>\s*$ > > =========== > > > root@mail:~# fail2ban-regex tst /etc/fail2ban/filter.d/test.conf > > > Running tests > ============= > > > > > Use failregex file : /etc/fail2ban/filter.d/webmin-auth.conf > > > > Use log file : tst > > > > > > > > > > > > Results > > > > ======= > > > > > > > > Failregex: 1 total > > > > |- #) [# of hits] regular expression > > > > | 4) [1] user denied: .+ from <HOST>\s*$ > > > > `- > > > > > > > > Ignoreregex: 0 total > > > > > > > > Date template hits: > > > > |- [# of hits] date format > > > > | [1] MONTH Day Hour:Minute:Second > > `- > > > > Lines: 1 > lines, 0 ignored, 1 matched, 0 missed > > Regards, > > Dudi > > > > -----Original Message----- > From: Henrique Fagundes > [mailto:[email protected]] > > > > Sent: Saturday, February 15, 2020 3:34 > To: fail2ban-users > <[email protected]> > > > > Subject: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > > Dear Colleagues, > > I begin by apologizing for any communication error, > as I am Brazilian and I still try to adapt with the English language. > > > > > > > > I'm having a hard time getting Fail2Ban to work on phpmyadmin. > > > > > > > > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2. > > > > My PhpMyAdmin is version 4.9.0.1. > > > > > > > > I noticed that PhpMyAdmin logs login failures in the “/var/log/ > secure” file. > > > > > > > > And he has an output like this: > > > > > > > > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root > (mysql-denied) from 177.122.254.10 Feb 14 21:42:07 www phpMyAdmin[3978]: > user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:42:09 www > phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10 Feb > 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from > 177.122.254.10 > > So, I configured my “/etc/fail2ban/jail.conf” like this: > > > > > > > > [phpmyadmin] > > > > enabled = true > > > > port = http,https > > > > filter = phpmyadmin > > > > action = iptables-multiport[name=phpmyadmin, port="http,https", > protocol=tcp] sendmail-whois[name=PHPMYADMIN, [email protected]] > logpath = /var/log/secure maxretry = 3 > > And the filter configuration > file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this: > > > > > > > > [Definition] > > > > denied = mysql-denied|allow-denied|root-denied|empty-denied > > > > failregex = ^<HOST> -.*(?:%(denied)s)$ > ignoreregex = > > I > believe I am not able to correctly form the expression, as Fail2Ban is not > blocking at all. > > > > > > > > Could someone help me in this matter? > > > > > > > > I'll be very grateful. > > > > > > > > > > > > _______________________________________________ > > > > Fail2ban-users mailing list > > > > [email protected] > > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > > > _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
