LogPath:
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
#sendmail-whois[name=PHPMYADMIN, [email protected]]
logpath = /var/log/secure
maxretry = 3
LOG:
2020-02-15 10:42:38,899 fail2ban.jail [24481]: INFO Creating new
jail 'apache-badbots'
2020-02-15 10:42:38,901 fail2ban.jail [24481]: INFO Jail
'apache-badbots' uses poller {}
2020-02-15 10:42:38,901 fail2ban.jail [24481]: INFO Initiated
'polling' backend
2020-02-15 10:42:38,915 fail2ban.filter [24481]: INFO maxRetry: 3
2020-02-15 10:42:38,915 fail2ban.filter [24481]: INFO findtime:
3600
2020-02-15 10:42:38,915 fail2ban.actions [24481]: INFO banTime: -1
2020-02-15 10:42:38,915 fail2ban.filter [24481]: INFO encoding:
UTF-8
2020-02-15 10:42:38,916 fail2ban.filter [24481]: INFO Added logfile:
'/var/log/httpd/clubenaval.org.br/www_error.log' (pos = 5204, hash =
e219f0f332829bc88280b9db329549153768f73d)
2020-02-15 10:42:38,916 fail2ban.filter [24481]: INFO Added logfile:
'/var/log/httpd/clubenaval.org.br/teste_error.log' (pos = 4886, hash =
485cdd7cac30d28770e02f6eef0fe7e2c75bce75)
2020-02-15 10:42:38,916 fail2ban.filter [24481]: INFO Added logfile:
'/var/log/httpd/clubenaval.org.br/phpmyadmin_error.log' (pos = 3616, hash =
2faa788efe6c2b262cbd656fd3d526e8a168d5ce)
2020-02-15 10:42:38,917 fail2ban.filter [24481]: INFO Added logfile:
'/var/log/httpd/clubenaval.org.br/clubesconveniados_error.log' (pos = 5198,
hash = 9fe72ef587a33b67602066e13c45873e6b78ef7d)
2020-02-15 10:42:38,917 fail2ban.filter [24481]: INFO Added logfile:
'/var/log/httpd/clubenaval.org.br/centenario_error.log' (pos = 5016, hash =
26b30b9f9a3df00fb63610da947057d996618dd0)
2020-02-15 10:42:38,918 fail2ban.jail [24481]: INFO Creating new
jail 'vsftpd'
2020-02-15 10:42:38,919 fail2ban.jail [24481]: INFO Jail 'vsftpd'
uses poller {}
2020-02-15 10:42:38,919 fail2ban.jail [24481]: INFO Initiated
'polling' backend
2020-02-15 10:42:38,926 fail2ban.filter [24481]: INFO maxRetry: 3
2020-02-15 10:42:38,926 fail2ban.filter [24481]: INFO findtime:
3600
2020-02-15 10:42:38,926 fail2ban.actions [24481]: INFO banTime: -1
2020-02-15 10:42:38,927 fail2ban.filter [24481]: INFO encoding:
UTF-8
2020-02-15 10:42:38,927 fail2ban.filter [24481]: INFO Added logfile:
'/var/log/vsftpd.log' (pos = 1345, hash =
6ae2e84f3a2fd1944c152a0c21907b5eedb13fcb)
2020-02-15 10:42:38,930 fail2ban.jail [24481]: INFO Jail
'phpmyadmin' started
2020-02-15 10:42:38,931 fail2ban.jail [24481]: INFO Jail
'apache-auth' started
2020-02-15 10:42:38,934 fail2ban.jail [24481]: INFO Jail
'drupal-comment' started
2020-02-15 10:42:38,936 fail2ban.jail [24481]: INFO Jail
'drupal-auth' started
2020-02-15 10:42:38,945 fail2ban.jail [24481]: INFO Jail
'apache-noscript' started
2020-02-15 10:42:38,948 fail2ban.jail [24481]: INFO Jail
'apache-overflows' started
2020-02-15 10:42:38,953 fail2ban.jail [24481]: INFO Jail
'apache-badbots' started
2020-02-15 10:42:38,963 fail2ban.jail [24481]: INFO Jail 'vsftpd'
started
2020-02-15 10:42:39,156 fail2ban.actions [24481]: NOTICE [vsftpd]
Restore Ban 177.124.244.58
---- Ativado Sáb, 15 fev 2020 11:21:35 -0300 Henrique Fagundes
<[email protected]> escreveu ----
> Friend,
>
> Follow my /etc/fail2ban/jail.conf settings:
>
> [INCLUDES]
> before = paths-fedora.conf
>
> [DEFAULT]
> ignoreip = 127.0.0.1/8
> ignorecommand =
>
> bantime = -1
> findtime = 3600
> maxretry = 3
>
> backend = auto
> usedns = warn
> logencoding = auto
> enabled = false
> filter = %(__name__)s
> destemail = [email protected]
> sender = [email protected]
> mta = sendmail
> protocol = tcp
> chain = INPUT
> port = 0:65535
>
> fail2ban_agent = Fail2Ban/%(fail2ban_version)s
>
> banaction = iptables-multiport
> banaction_allports = iptables-allports
>
> action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
> port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
>
> action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
> port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
> %(mta)s-whois[name=%(__name__)s, sender="%(sender)s",
> dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
>
> action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
> port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
> %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s",
> dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
>
> action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
> port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
> xarf-login-attack[service=%(__name__)s, sender="%(sender)s",
> logpath=%(logpath)s, port="%(port)s"]
>
> action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
> %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s",
> dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
>
> action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s,
> apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
>
> action_badips = badips.py[category="%(__name__)s",
> banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
> action_badips_report = badips[category="%(__name__)s",
> agent="%(fail2ban_agent)s"]
>
> action = %(action_)s
>
> [sshd]
> port = 17169
> logpath = %(sshd_log)s
> backend = %(sshd_backend)s
>
> [sshd-ddos]
> port = 17169
> logpath = %(sshd_log)s
> backend = %(sshd_backend)s
>
> [dropbear]
> port = 17169
> logpath = %(dropbear_log)s
> backend = %(dropbear_backend)s
>
> [selinux-ssh]
> port = 17169
> logpath = %(auditd_log)s
>
> [phpmyadmin]
> enabled = true
> port = http,https
> filter = phpmyadmin
> action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
> #sendmail-whois[name=PHPMYADMIN, [email protected]]
> logpath = /var/log/secure
> maxretry = 3
>
> [apache-auth]
> enabled = true
> port = http,https
> filter = apache-auth
> action = iptables-multiport[name=apache-auth, port="http,https",
> protocol=tcp]
> #sendmail-whois[name=APACHE, [email protected]]
> logpath = /var/log/httpd/*/*_error.log
> maxretry = 3
>
> [drupal-comment]
> enabled = true
> port = http,https
> filter = drupal-comment
> action = iptables-multiport[name=drupal-comment, port="http,https",
> protocol=tcp]
> #sendmail-whois[name=DRUPAL, [email protected]]
> logpath = /var/log/messages
> maxretry = 3
>
> [drupal-auth]
> enabled = true
> port = http,https
> filter = drupal-auth
> action = iptables-multiport[name=drupal-auth, port="http,https",
> protocol=tcp]
> #sendmail-whois[name=DRUPAL, [email protected]]
> logpath = /var/log/messages
> maxretry = 3
>
> [apache-noscript]
> enabled = true
> port = http,https
> filter = apache-noscript
> action = iptables-multiport[name=apache-noscript, port="http,https",
> protocol=tcp]
> #sendmail-whois[name=APACHE, [email protected]]
> logpath = /var/log/httpd/*/*_error.log
> maxretry = 3
>
> [apache-overflows]
> enabled = true
> port = http,https
> filter = apache-overflows
> action = iptables-multiport[name=apache-overflows, port="http,https",
> protocol=tcp]
> #sendmail-whois[name=APACHE, [email protected]]
> logpath = /var/log/httpd/*/*_error.log
> maxretry = 3
>
> [apache-badbots]
> enabled = true
> port = http,https
> filter = apache-badbots
> action = iptables-multiport[name=apache-badbots, port="http,https",
> protocol=tcp]
> #sendmail-whois[name=APACHE, [email protected]]
> logpath = /var/log/httpd/*/*_error.log
> maxretry = 3
>
> [openhab-auth]
> filter = openhab
> action = iptables-allports[name=NoAuthFailures]
> logpath = /opt/openhab/logs/request.log
>
> [nginx-http-auth]
> port = http,https
> logpath = %(nginx_error_log)s
>
> [nginx-limit-req]
> port = http,https
> logpath = %(nginx_error_log)s
>
> [nginx-botsearch]
> port = http,https
> logpath = %(nginx_error_log)s
> maxretry = 2
>
> [php-url-fopen]
> port = http,https
> logpath = %(nginx_access_log)s
> %(apache_access_log)s
>
> [suhosin]
> port = http,https
> logpath = %(suhosin_log)s
>
> [lighttpd-auth]
> port = http,https
> logpath = %(lighttpd_error_log)s
>
> [roundcube-auth]
> port = http,https
> logpath = %(roundcube_errors_log)s
>
> [openwebmail]
> port = http,https
> logpath = /var/log/openwebmail.log
>
> [horde]
> port = http,https
> logpath = /var/log/horde/horde.log
>
> [groupoffice]
> port = http,https
> logpath = /home/groupoffice/log/info.log
>
> [sogo-auth]
> port = http,https
> logpath = /var/log/sogo/sogo.log
>
> [tine20]
> logpath = /var/log/tine20/tine20.log
> port = http,https
>
> #[drupal-auth]
> #port = http,https
> #logpath = %(syslog_daemon)s
> #backend = %(syslog_backend)s
>
> [guacamole]
> port = http,https
> logpath = /var/log/tomcat*/catalina.out
>
> [monit]
> port = 2812
> logpath = /var/log/monit
>
> [webmin-auth]
> port = 10000
> logpath = %(syslog_authpriv)s
> backend = %(syslog_backend)s
>
> [froxlor-auth]
> port = http,https
> logpath = %(syslog_authpriv)s
> backend = %(syslog_backend)s
>
> [squid]
> port = 80,443,3128,8080
> logpath = /var/log/squid/access.log
>
> [3proxy]
> port = 3128
> logpath = /var/log/3proxy.log
>
> [pure-ftpd]
> port = ftp,ftp-data,ftps,ftps-data
> logpath = %(pureftpd_log)s
> backend = %(pureftpd_backend)s
>
> [gssftpd]
> port = ftp,ftp-data,ftps,ftps-data
> logpath = %(syslog_daemon)s
> backend = %(syslog_backend)s
>
> [wuftpd]
> port = ftp,ftp-data,ftps,ftps-data
> logpath = %(wuftpd_log)s
> backend = %(wuftpd_backend)s
>
> [vsftpd]
> enabled = true
> port = ftp,ftp-data,ftps,ftps-data
> logpath = %(vsftpd_log)s
> enable = true
> action = iptables-multiport[name=vsftpd, port="ftp,ftp-data,ftps,ftps-data",
> protocol=tcp]
> #sendmail-whois[name=fail2ban-vsftpd-bruteforce,
> [email protected]]
> maxretry = 3
>
> [assp]
> port = smtp,465,submission
> logpath = /var/log/mail.log
>
> [courier-smtp]
> port = smtp,465,submission
> logpath = %(syslog_mail)s
> backend = %(syslog_backend)s
>
> [postfix]
> port = smtp,465,submission
> logpath = %(postfix_log)s
> backend = %(postfix_backend)s
>
> [postfix-rbl]
> port = smtp,465,submission
> logpath = %(postfix_log)s
> backend = %(postfix_backend)s
> maxretry = 1
>
> [sendmail-auth]
> port = submission,465,smtp
> logpath = %(syslog_mail)s
> backend = %(syslog_backend)s
>
> [sendmail-reject]
> port = smtp,465,submission
> logpath = %(syslog_mail)s
> backend = %(syslog_backend)s
>
> [qmail-rbl]
> filter = qmail
> port = smtp,465,submission
> logpath = /service/qmail/log/main/current
>
> [dovecot]
> port = pop3,pop3s,imap,imaps,submission,465,sieve
> logpath = %(dovecot_log)s
> backend = %(dovecot_backend)s
>
> [sieve]
> port = smtp,465,submission
> logpath = %(dovecot_log)s
> backend = %(dovecot_backend)s
>
> [solid-pop3d]
> port = pop3,pop3s
> logpath = %(solidpop3d_log)s
>
> [exim]
> port = smtp,465,submission
> logpath = %(exim_main_log)s
>
> [exim-spam]
> port = smtp,465,submission
> logpath = %(exim_main_log)s
>
> [kerio]
> port = imap,smtp,imaps,465
> logpath = /opt/kerio/mailserver/store/logs/security.log
>
> [courier-auth]
> port = smtp,465,submission,imap3,imaps,pop3,pop3s
> logpath = %(syslog_mail)s
> backend = %(syslog_backend)s
>
> [postfix-sasl]
> port = smtp,465,submission,imap3,imaps,pop3,pop3s
> logpath = %(postfix_log)s
> backend = %(postfix_backend)s
>
> [perdition]
> port = imap3,imaps,pop3,pop3s
> logpath = %(syslog_mail)s
> backend = %(syslog_backend)s
>
> [squirrelmail]
> port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
>
> [cyrus-imap]
> port = imap3,imaps
> logpath = %(syslog_mail)s
> backend = %(syslog_backend)s
>
> [uwimap-auth]
> port = imap3,imaps
> logpath = %(syslog_mail)s
> backend = %(syslog_backend)s
>
> [named-refused]
> port = domain,953
> logpath = /var/log/named/security.log
>
> [nsd]
> port = 53
> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
> protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
> %(banaction)s[name=%(__name__)s-udp, port="%(port)s",
> protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
> logpath = /var/log/nsd.log
>
> [asterisk]
> port = 5060,5061
> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
> protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
> %(banaction)s[name=%(__name__)s-udp, port="%(port)s",
> protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
> %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
> logpath = /var/log/asterisk/messages
> maxretry = 10
>
> [freeswitch]
> port = 5060,5061
> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
> protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
> %(banaction)s[name=%(__name__)s-udp, port="%(port)s",
> protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
> %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
> logpath = /var/log/freeswitch.log
> maxretry = 10
>
> [mysqld-auth]
> port = 3306
> logpath = %(mysql_log)s
> backend = %(mysql_backend)s
>
> [mongodb-auth]
> port = 27017
> logpath = /var/log/mongodb/mongodb.log
>
> [recidive]
> logpath = /var/log/fail2ban.log
> banaction = %(banaction_allports)s
> bantime = 604800 ; 1 week
> findtime = 86400 ; 1 day
>
> [pam-generic]
> banaction = %(banaction_allports)s
> logpath = %(syslog_authpriv)s
> backend = %(syslog_backend)s
>
> [xinetd-fail]
> banaction = iptables-multiport-log
> logpath = %(syslog_daemon)s
> backend = %(syslog_backend)s
> maxretry = 2
>
> [stunnel]
> logpath = /var/log/stunnel4/stunnel.log
>
> [ejabberd-auth]
> port = 5222
> logpath = /var/log/ejabberd/ejabberd.log
>
> [counter-strike]
> logpath = /opt/cstrike/logs/L[0-9]*.log
> tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
> udpport =
> 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
> action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s",
> protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
> %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s",
> protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
>
> [nagios]
> logpath = %(syslog_daemon)s ; nrpe.cfg may define a different
> log_facility
> backend = %(syslog_backend)s
> maxretry = 1
>
> [oracleims]
> logpath = /opt/sun/comms/messaging64/log/mail.log_current
> banaction = %(banaction_allports)s
>
> [directadmin]
> logpath = /var/log/directadmin/login.log
> port = 2222
>
> [portsentry]
> logpath = /var/lib/portsentry/portsentry.history
> maxretry = 1
>
> [pass2allow-ftp]
> port = ftp,ftp-data,ftps,ftps-data
> knocking_url = /knocking/
> filter = apache-pass[knocking_url="%(knocking_url)s"]
> logpath = %(apache_access_log)s
> blocktype = RETURN
> returntype = DROP
> bantime = 3600
> maxretry = 1
> findtime = 1
>
> [murmur]
> port = 64738
> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
> protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
> %(banaction)s[name=%(__name__)s-udp, port="%(port)s",
> protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
> logpath = /var/log/mumble-server/mumble-server.log
>
> [screensharingd]
> logpath = /var/log/system.log
> logencoding = utf-8
>
> [haproxy-http-auth]
> logpath = /var/log/haproxy.log
>
> [slapd]
> port = ldap,ldaps
> filter = slapd
> logpath = /var/log/slapd.log
>
>
> Atenciosamente,
>
> Henrique Fagundes
> Analista de Suporte Linux
> [email protected]
> Skype: magnata-br-rj
> Linux User: 475399
>
> https://www.aprendendolinux.com
> https://www.facebook.com/AprendendoLinux
> https://youtube.com/AprendendoLinux
> https://twitter.com/AprendendoLinux
> https://t.me/AprendendoLinux
> https://t.me/GrupoAprendendoLinux
> ______________________________________________________________________
> Participe do Grupo Aprendendo Linux
> https://listas.aprendendolinux.com/listinfo/aprendendolinux
>
> Ou envie um e-mail para:
> [email protected]
>
>
> ---- Ativado Sáb, 15 fev 2020 10:56:55 -0300 Dudi Goldenberg
> <[email protected]> escreveu ----
> > Hi,
> >
> > The regex is fine for the log lines that you showed.
> >
> > Try to go over the rest of the jail and verify that its properly
> configured.
> >
> > Regards,
> >
> > Dudi
> >
> > -----Original Message-----
> > From: Henrique Fagundes [mailto:[email protected]]
> > Sent: Saturday, February 15, 2020 15:45
> > To: Dudi Goldenberg <[email protected]>
> > Cc: Fail2ban Users <[email protected]>
> > Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin
> >
> > Friend,
> >
> > In practice, it doesn't work!
> > I am purposely missing the logins and does not block.
> >
> > I did a test with FTP and it blocks normally.
> > I don't know what's going on.
> >
> > ---- Ativado Sáb, 15 fev 2020 10:32:34 -0300 Dudi Goldenberg
> <[email protected]> escreveu ---- > Well, > > According to the test it did
> work:
> > >
> > > Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in
> 0.08 sec] > > So you have 182 matches.
> > >
> > > Regards,
> > >
> > > Dudi
> > >
> > > -----Original Message-----
> > > From: Henrique Fagundes [mailto:[email protected]]
> > > Sent: Saturday, February 15, 2020 15:28 > To: Dudi Goldenberg
> <[email protected]> > Cc: Fail2ban Users
> <[email protected]>
> > > Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > >
> Friend, > > Unfortunately, the rule you gave me didn't work!
> > >
> > > The log file is /var/ log /secure.
> > >
> > > I ran the command below:
> > >
> > > fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/phpmyadmin.conf
> > >
> > > That was the way out:
> > >
> > > Running tests
> > > =============
> > >
> > > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban
> > > Use log file : /var/log/secure
> > > Use encoding : UTF-8
> > >
> > >
> > > Results
> > > =======
> > >
> > > Failregex: 182 total
> > > |- #) [# of hits] regular expression
> > > | 1) [182] user denied: .+ from <HOST>\s*$
> > > `-
> > >
> > > Ignoreregex: 0 total
> > >
> > > Date template hits:
> > > |- [# of hits] date format
> > > | [772] {^LN-BEG}(?:DAY )?MON Day
> %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
> > > `-
> > >
> > > Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in
> 0.08 sec] > > Missed line(s): too many to print. Use --print-all-missed
> to print all 590 lines > > Is there anything else I can do to resolve the
> issue?
> > >
> > > ---- Ativado Sáb, 15 fev 2020 10:07:12 -0300 Dudi Goldenberg
> <[email protected]> escreveu ---- > Hi, > > You should edit
> /etc/fail2ban/filter.d/phpmyadmin.conf and modify the failregex line to read:
> > > >
> > > > failregex = user denied: .+ from <HOST>\s*$ > > The tst is a file
> I created with the log lines in it for testing...
> > > >
> > > > After you modify phpmyadmin.conf this should work and show matches:
> > > >
> > > > fail2ban-regex /path/to/logfile
> /etc/fail2ban/filter.d/phpmyadmin.conf
> > > >
> > > > Make sure you insert the real path to the log file instead of
> /path/to/logfile.
> > > >
> > > > Regards,
> > > >
> > > > Dudi
> > > >
> > > > -----Original Message-----
> > > > From: Henrique Fagundes [mailto:[email protected]]
> > > > Sent: Saturday, February 15, 2020 13:26 > To: Dudi Goldenberg
> <[email protected]> > Subject: RE: [Fail2ban-users] Help with Fail2Ban on
> PhpMyAdmin > > Friend, > > Good Morning! Thanks for answering!
> > > > I tested his regular expression and it didn't work, unfortunately.
> > > >
> > > > The output of my command was like this:
> > > >
> > > > [root@www ~]# fail2ban-regex tst
> /etc/fail2ban/filter.d/phpmyadmin.conf
> > > >
> > > > Running tests
> > > > =============
> > > >
> > > > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban
> > > > Use single line : tst
> > > >
> > > >
> > > > Results
> > > > =======
> > > >
> > > > Failregex: 0 total
> > > >
> > > > Ignoreregex: 0 total
> > > >
> > > > Date template hits:
> > > >
> > > > Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.05
> sec] > > |- Missed line(s):
> > > > | tst
> > > > `-
> > > >
> > > > Is there anything else I can do to resolve this issue?
> > > >
> > > > I am grateful!
> > > >
> > > >
> > > >
> > > > Atenciosamente,
> > > >
> > > > Henrique Fagundes
> > > > Analista de Suporte Linux
> > > > [email protected]
> > > > Skype: magnata-br-rj
> > > > Linux User: 475399
> > > >
> > > > https://www.aprendendolinux.com
> > > > https://www.facebook.com/AprendendoLinux
> > > > https://youtube.com/AprendendoLinux
> > > > https://twitter.com/AprendendoLinux
> > > > https://t.me/AprendendoLinux
> > > > https://t.me/GrupoAprendendoLinux
> > > >
> ______________________________________________________________________
> > > > Participe do Grupo Aprendendo Linux > >
> https://listas.aprendendolinux.com/listinfo/aprendendolinux
> > > >
> > > > Ou envie um e-mail para:
> > > > [email protected]
> > > >
> > > >
> > > > ---- Ativado Sáb, 15 fev 2020 05:24:41 -0300 Dudi Goldenberg
> <[email protected]> escreveu ---- > HI, > > I pasted the wrong line....
> sorry.
> > > > >
> > > > > This works:
> > > > >
> > > > > failregex = user denied: .+ from <HOST>\s*$ > > =========== >
> > root@mail:~# fail2ban-regex tst /etc/fail2ban/filter.d/test.conf > >
> Running tests > ============= >
> > > > > Use failregex file : /etc/fail2ban/filter.d/webmin-auth.conf
> > > > > Use log file : tst
> > > > >
> > > > >
> > > > > Results
> > > > > =======
> > > > >
> > > > > Failregex: 1 total
> > > > > |- #) [# of hits] regular expression
> > > > > | 4) [1] user denied: .+ from <HOST>\s*$
> > > > > `-
> > > > >
> > > > > Ignoreregex: 0 total
> > > > >
> > > > > Date template hits:
> > > > > |- [# of hits] date format
> > > > > | [1] MONTH Day Hour:Minute:Second > > `- > > > > Lines:
> 1 lines, 0 ignored, 1 matched, 0 missed > > Regards, > > Dudi > > >
> -----Original Message----- > From: Henrique Fagundes
> [mailto:[email protected]]
> > > > > Sent: Saturday, February 15, 2020 3:34 > To: fail2ban-users
> <[email protected]>
> > > > > Subject: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > >
> Dear Colleagues, > > I begin by apologizing for any communication error,
> as I am Brazilian and I still try to adapt with the English language.
> > > > >
> > > > > I'm having a hard time getting Fail2Ban to work on phpmyadmin.
> > > > >
> > > > > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2.
> > > > > My PhpMyAdmin is version 4.9.0.1.
> > > > >
> > > > > I noticed that PhpMyAdmin logs login failures in the “/var/log/
> secure” file.
> > > > >
> > > > > And he has an output like this:
> > > > >
> > > > > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root
> (mysql-denied) from 177.122.254.10 Feb 14 21:42:07 www phpMyAdmin[3978]:
> user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:42:09 www
> phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10 Feb
> 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from
> 177.122.254.10 > > So, I configured my “/etc/fail2ban/jail.conf” like this:
> > > > >
> > > > > [phpmyadmin]
> > > > > enabled = true
> > > > > port = http,https
> > > > > filter = phpmyadmin
> > > > > action = iptables-multiport[name=phpmyadmin, port="http,https",
> protocol=tcp] sendmail-whois[name=PHPMYADMIN, [email protected]]
> logpath = /var/log/secure maxretry = 3 > > And the filter configuration
> file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this:
> > > > >
> > > > > [Definition]
> > > > > denied = mysql-denied|allow-denied|root-denied|empty-denied
> > > > > failregex = ^<HOST> -.*(?:%(denied)s)$ > ignoreregex = > > I
> believe I am not able to correctly form the expression, as Fail2Ban is not
> blocking at all.
> > > > >
> > > > > Could someone help me in this matter?
> > > > >
> > > > > I'll be very grateful.
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Fail2ban-users mailing list
> > > > > [email protected]
> > > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> > > > >
> > > >
> > >
> >
>
>
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
