Dear colleagues, I would like to thank you very much for your support. Especially Dudi and Dominic.
I finally managed to solve the problem. Fail2Ban is now blocking properly. I decided to update PhpMyAdmin to version 5.0.1. After I did that, I edited the following file: /var/www/phpmyadmin/libraries/config.default.php I changed the configuration as follows: $ cfg ['AuthLog'] = 'auto'; ------> $ cfg ['AuthLog'] = 'php'; After I did that, he started to generate the logs differently and in a different file. The logs started to be generated in the "/var/log/php-fpm/www-error.log" file. And in this way: [15-Feb-2020 17:18:11 UTC] user denied: root (mysql-denied) from 168.194.165.40 [15-Feb-2020 17:18:13 UTC] user denied: root (mysql-denied) from 168.194.165.40 [15-Feb-2020 17:18:14 UTC] user denied: root (mysql-denied) from 168.194.165.40 [15-Feb-2020 17:22:06 UTC] user denied: root (mysql-denied) from 168.194.165.40 [15-Feb-2020 17:22:08 UTC] user denied: root (mysql-denied) from 168.194.165.40 [15-Feb-2020 17:22:09 UTC] user denied: root (mysql-denied) from 168.194.165.40 Then, I configured the "/etc/fail2ban/filter.d/phpmyadmin.conf" file like this: [Definition] denied = mysql-denied | allow-denied | root-denied | empty-denied failregex = user denied:. + from <HOST> \ s * $ ignoreregex = After that, I configured "/etc/fail2ban/jail.conf" like this: [phpmyadmin] enabled = true port = http, https action = iptables-multiport [name = phpmyadmin, port = "http, https", protocol = tcp] # sendmail-whois [name = PHPMYADMIN, [email protected]] logpath = /var/log/php-fpm/www-error.log maxretry = 3 After that, it was just restarting fail2ban that everything was resolved. Look at the logs, now blocking: 2020-02-15 14: 39: 42,005 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:41 2020-02-15 14: 39: 44,009 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:43 2020-02-15 14: 39: 46,013 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:45 2020-02-15 14: 39: 46,204 fail2ban.actions [25748]: NOTICE [phpmyadmin] Ban 168.194.165.40 Thank you very much to all! A big hug! Atenciosamente, Henrique Fagundes Analista de Suporte Linux [email protected] Skype: magnata-br-rj Linux User: 475399 https://www.aprendendolinux.com https://www.facebook.com/AprendendoLinux https://youtube.com/AprendendoLinux https://twitter.com/AprendendoLinux https://t.me/AprendendoLinux https://t.me/GrupoAprendendoLinux ______________________________________________________________________ Participe do Grupo Aprendendo Linux https://listas.aprendendolinux.com/listinfo/aprendendolinux Ou envie um e-mail para: [email protected] ---- Ativado Sáb, 15 fev 2020 10:11:12 -0300 Dudi Goldenberg <[email protected]> escreveu ---- > > Hi Dominic, > > ^<HOST> means that the client IP must be first on the log line, this is not > the case in your log. > > Edit the regex so the <HOST> is last in the regex. > > Regards, > > Dudi > > From: Dominic Raferd [mailto:[email protected]] > Sent: Saturday, February 15, 2020 10:37 > To: fail2ban-users <[email protected]> > Subject: Re: [Fail2ban-users] Help with Fail2Ban on PhpMyAdmin > > > > On Sat, 15 Feb 2020 at 01:54, Henrique Fagundes > <[email protected]> wrote: > Dear Colleagues, > > I begin by apologizing for any communication error, as I am Brazilian and I > still try to adapt with the English language. > > I'm having a hard time getting Fail2Ban to work on phpmyadmin. > > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2. > My PhpMyAdmin is version 4.9.0.1. > > I noticed that PhpMyAdmin logs login failures in the “/var/log/ secure” file. > > And he has an output like this: > > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) from > 177.122.254.10 > Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied) from > 177.122.254.10 > Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied) from > 177.122.254.10 > Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from > 177.122.254.10 > > So, I configured my “/etc/fail2ban/jail.conf” like this: > > [phpmyadmin] > enabled = true > port = http,https > filter = phpmyadmin > action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp] > sendmail-whois[name=PHPMYADMIN, [email protected]] > logpath = /var/log/secure > maxretry = 3 > > And the filter configuration file (/etc/fail2ban/filter.d/phpmyadmin.conf), > the expressions are like this: > > [Definition] > denied = mysql-denied|allow-denied|root-denied|empty-denied > failregex = ^<HOST> -.*(?:%(denied)s)$ > ignoreregex = > > I believe I am not able to correctly form the expression, as Fail2Ban is not > blocking at all. > > Could someone help me in this matter? > > I'll be very grateful. > > Try replacing your failregex line with this: > failregex = user denied: \S* \((mysql|allow|root|empty)-denied\) from <HOST>$ > > It does not use the 'denied' variable (so that line could be removed from > your filter file). It would be better if it was defined with an anchor (and > matching text/variables) at the front of the regex but it is probably good > enough for your purposes, the risk of resulting FPs is small I think. > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
