Hi Dominic, ^<HOST> means that the client IP must be first on the log line, this is not the case in your log.
Edit the regex so the <HOST> is last in the regex. Regards, Dudi From: Dominic Raferd [mailto:[email protected]] Sent: Saturday, February 15, 2020 10:37 To: fail2ban-users <[email protected]> Subject: Re: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin On Sat, 15 Feb 2020 at 01:54, Henrique Fagundes <[email protected]<mailto:[email protected]>> wrote: Dear Colleagues, I begin by apologizing for any communication error, as I am Brazilian and I still try to adapt with the English language. I'm having a hard time getting Fail2Ban to work on phpmyadmin. I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2. My PhpMyAdmin is version 4.9.0.1. I noticed that PhpMyAdmin logs login failures in the “/var/log/ secure” file. And he has an output like this: Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10 Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from 177.122.254.10 So, I configured my “/etc/fail2ban/jail.conf” like this: [phpmyadmin] enabled = true port = http,https filter = phpmyadmin action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] sendmail-whois[name=PHPMYADMIN, [email protected]<mailto:[email protected]>] logpath = /var/log/secure maxretry = 3 And the filter configuration file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this: [Definition] denied = mysql-denied|allow-denied|root-denied|empty-denied failregex = ^<HOST> -.*(?:%(denied)s)$ ignoreregex = I believe I am not able to correctly form the expression, as Fail2Ban is not blocking at all. Could someone help me in this matter? I'll be very grateful. Try replacing your failregex line with this: failregex = user denied: \S* \((mysql|allow|root|empty)-denied\) from <HOST>$ It does not use the 'denied' variable (so that line could be removed from your filter file). It would be better if it was defined with an anchor (and matching text/variables) at the front of the regex but it is probably good enough for your purposes, the risk of resulting FPs is small I think.
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
