Hello Henrique,
I am not using P.H.P., so can offer only general suggestions.
1) Leave "/etc/fail2ban/jail.conf" alone; copy it to
"/etc/fail2ban/jail.local" and make changes to that file instead.
2) Check that the "[phpmyadmin]" section of "jail.local" says
"enabled=true" (as it was in your "jail.conf").
3) Run the command "sudo /etc/init.d/fail2ban restart" or the equivalent to
suit your system. (If I remember correctly, you may need "stop" then "sleep
15" then "start".)
4) Allow time for an attempted intrusion. (I think that "fail2ban" might not
create rules until there is a demand.)
5) Use "sudo iptables --wait --numeric --verbose --list | less" to see if
a set of rules has been created and if the expected rule has been
triggered.
6) See what the logs tell you.
If you have success, please let us know; if not, please let us see the
relevant "[phpadmin]" section of your "jail.local" and some log extracts.
I hope this helps,
--
Graham
Just because they are out to get you doesn't mean you're paranoid.
On Sat, 15 Feb 2020, Henrique Fagundes wrote:
Date: Sat, 15 Feb 2020 13:44:44
From: Henrique Fagundes <[email protected]>
To: Dudi Goldenberg <[email protected]>
Cc: Fail2ban Users <[email protected]>
Subject: Re: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin
Friend,
In practice, it doesn't work!
I am purposely missing the logins and does not block.
I did a test with FTP and it blocks normally.
I don't know what's going on.
---- Ativado Sáb, 15 fev 2020 10:32:34 -0300 Dudi Goldenberg <[email protected]>
escreveu ----
> Well,
>
> According to the test it did work:
>
> Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in 0.08 sec]
>
> So you have 182 matches.
>
> Regards,
>
> Dudi
>
> -----Original Message-----
> From: Henrique Fagundes [mailto:[email protected]]
> Sent: Saturday, February 15, 2020 15:28
> To: Dudi Goldenberg <[email protected]>
> Cc: Fail2ban Users <[email protected]>
> Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin
>
> Friend,
>
> Unfortunately, the rule you gave me didn't work!
>
> The log file is /var/ log /secure.
>
> I ran the command below:
>
> fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/phpmyadmin.conf
>
> That was the way out:
>
> Running tests
> =============
>
> Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban
> Use log file : /var/log/secure
> Use encoding : UTF-8
>
>
> Results
> =======
>
> Failregex: 182 total
> |- #) [# of hits] regular expression
> | 1) [182] user denied: .+ from <HOST>\s*$
> `-
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [772] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?:
ExYear)?
> `-
>
> Lines: 772 lines, 0 ignored, 182 matched, 590 missed [processed in 0.08 sec]
>
> Missed line(s): too many to print. Use --print-all-missed to print all 590 lines
>
> Is there anything else I can do to resolve the issue?
>
> ---- Ativado Sáb, 15 fev 2020 10:07:12 -0300 Dudi Goldenberg <[email protected]> escreveu ---- > Hi, > > You should edit /etc/fail2ban/filter.d/phpmyadmin.conf and modify the failregex line to read:
> >
> > failregex = user denied: .+ from <HOST>\s*$ > > The tst is a file I
created with the log lines in it for testing...
> >
> > After you modify phpmyadmin.conf this should work and show matches:
> >
> > fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/phpmyadmin.conf
> >
> > Make sure you insert the real path to the log file instead of
/path/to/logfile.
> >
> > Regards,
> >
> > Dudi
> >
> > -----Original Message-----
> > From: Henrique Fagundes [mailto:[email protected]]
> > Sent: Saturday, February 15, 2020 13:26 > To: Dudi Goldenberg <[email protected]> >
Subject: RE: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > Friend, > > Good Morning!
Thanks for answering!
> > I tested his regular expression and it didn't work, unfortunately.
> >
> > The output of my command was like this:
> >
> > [root@www ~]# fail2ban-regex tst /etc/fail2ban/filter.d/phpmyadmin.conf
> >
> > Running tests
> > =============
> >
> > Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban
> > Use single line : tst
> >
> >
> > Results
> > =======
> >
> > Failregex: 0 total
> >
> > Ignoreregex: 0 total
> >
> > Date template hits:
> >
> > Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.05 sec] >
> |- Missed line(s):
> > | tst
> > `-
> >
> > Is there anything else I can do to resolve this issue?
> >
> > I am grateful!
> >
> >
> >
> > Atenciosamente,
> >
> > Henrique Fagundes
> > Analista de Suporte Linux
> > [email protected]
> > Skype: magnata-br-rj
> > Linux User: 475399
> >
> > https://www.aprendendolinux.com
> > https://www.facebook.com/AprendendoLinux
> > https://youtube.com/AprendendoLinux
> > https://twitter.com/AprendendoLinux
> > https://t.me/AprendendoLinux
> > https://t.me/GrupoAprendendoLinux
> > ______________________________________________________________________
> > Participe do Grupo Aprendendo Linux
> > https://listas.aprendendolinux.com/listinfo/aprendendolinux
> >
> > Ou envie um e-mail para:
> > [email protected]
> >
> >
> > ---- Ativado Sáb, 15 fev 2020 05:24:41 -0300 Dudi Goldenberg <[email protected]>
escreveu ---- > HI, > > I pasted the wrong line.... sorry.
> > >
> > > This works:
> > >
> > > failregex = user denied: .+ from <HOST>\s*$ > > =========== > > root@mail:~# fail2ban-regex tst /etc/fail2ban/filter.d/test.conf > > Running tests > ============= >
> > > Use failregex file : /etc/fail2ban/filter.d/webmin-auth.conf
> > > Use log file : tst
> > >
> > >
> > > Results
> > > =======
> > >
> > > Failregex: 1 total
> > > |- #) [# of hits] regular expression
> > > | 4) [1] user denied: .+ from <HOST>\s*$
> > > `-
> > >
> > > Ignoreregex: 0 total
> > >
> > > Date template hits:
> > > |- [# of hits] date format
> > > | [1] MONTH Day Hour:Minute:Second > > `- > > > > Lines: 1 lines, 0 ignored, 1 matched,
0 missed > > Regards, > > Dudi > > > -----Original Message----- > From: Henrique Fagundes
[mailto:[email protected]]
> > > Sent: Saturday, February 15, 2020 3:34 > To: fail2ban-users
<[email protected]>
> > > Subject: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > Dear
Colleagues, > > I begin by apologizing for any communication error, as I am Brazilian and I
still try to adapt with the English language.
> > >
> > > I'm having a hard time getting Fail2Ban to work on phpmyadmin.
> > >
> > > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2.
> > > My PhpMyAdmin is version 4.9.0.1.
> > >
> > > I noticed that PhpMyAdmin logs login failures in the “/var/log/ secure”
file.
> > >
> > > And he has an output like this:
> > >
> > > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) from
177.122.254.10 Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied) from
177.122.254.10 Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied) from
177.122.254.10 Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from
177.122.254.10 > > So, I configured my “/etc/fail2ban/jail.conf” like this:
> > >
> > > [phpmyadmin]
> > > enabled = true
> > > port = http,https
> > > filter = phpmyadmin
> > > action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
sendmail-whois[name=PHPMYADMIN, [email protected]] logpath = /var/log/secure maxretry = 3
> > And the filter configuration file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions
are like this:
> > >
> > > [Definition]
> > > denied = mysql-denied|allow-denied|root-denied|empty-denied
> > > failregex = ^<HOST> -.*(?:%(denied)s)$ > ignoreregex = > > I believe
I am not able to correctly form the expression, as Fail2Ban is not blocking at all.
> > >
> > > Could someone help me in this matter?
> > >
> > > I'll be very grateful.
> > >
[--- snipped ---]
<a href="http://english-1329209197.spampoison.com";>Get free spam bait here.</a>
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
