Custom fail2ban Filter for phpMyadmin bruteforce attempts
That's fine but why not using the apache functionality to log failed logins ?
Add these lines to your Apache Config (i.e:/etc/apache2/conf.d/phpmyadmin.conf) in the according VirtualHost Section:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/apache2/phpmyadmin_access.log pma_combined
Then create the fail2ban filter:
/etc/fail2ban/filter.d/phpmyadmin.conf
[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =
Now add the jail to /etc/fail2ban/jail.local
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.log
Restart apache and fail2ban:
service apache2 reload
service fail2ban reload
and you are done, no need of php scripts so on..
You should change your script to include timestamp in log files. Without this, fail2ban will not work
use
fail2ban-regex /var/log/phpmyadmin_auth.log /etc/fail2ban/filter.d/phpmyadmin.conf
to verify your regex first.I could start fail2ban successfully using your original configuration (prior to jail.local)
Oct 7 00:42:07 hostname yum: Installed: python-inotify-0.9.1-1.el5.noarch Oct 7 00:42:08 hostname yum: Installed: fail2ban-0.8.4-29.el5.noarch Oct 7 00:42:10 hostname yum: Installed: phpMyAdmin-2.11.11.3-2.el5.noarch Oct 7 01:01:03 hostname fail2ban.server : INFO Changed logging target to SYSLOG for Fail2ban v0.8.4 Oct 7 01:01:03 hostname fail2ban.jail : INFO Creating new jail 'phpmyadmin' Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'phpmyadmin' uses Gamin Oct 7 01:01:03 hostname fail2ban.filter : INFO Set maxRetry = 2 Oct 7 01:01:03 hostname fail2ban.filter : INFO Set findtime = 600 Oct 7 01:01:03 hostname fail2ban.actions: INFO Set banTime = 600 Oct 7 01:01:03 hostname fail2ban.jail : INFO Creating new jail 'ssh-iptables' Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin Oct 7 01:01:03 hostname fail2ban.filter : INFO Added logfile = /var/log/secure Oct 7 01:01:03 hostname fail2ban.filter : INFO Set maxRetry = 5 Oct 7 01:01:03 hostname fail2ban.filter : INFO Set findtime = 600 Oct 7 01:01:03 hostname fail2ban.actions: INFO Set banTime = 600 Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'phpmyadmin' started Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'ssh-iptables' started Oct 7 01:10:54 hostname fail2ban.jail : INFO Jail 'phpmyadmin' stopped Oct 7 01:10:55 hostname fail2ban.jail : INFO Jail 'ssh-iptables' stopped Oct 7 01:10:55 hostname fail2ban.server : INFO Exiting Fail2ban Oct 7 01:10:56 hostname fail2ban.server : INFO Changed logging target to SYSLOG for Fail2ban v0.8.4 Oct 7 01:10:56 hostname fail2ban.jail : INFO Creating new jail 'phpmyadmin' Oct 7 01:10:56 hostname fail2ban.jail : INFO Jail 'phpmyadmin' uses Gamin Oct 7 01:10:56 hostname fail2ban.filter : INFO Added logfile = /var/log/phpmyadmin_auth.log
Once correct regex are in place, you can use audit to see whether your file is accessed or not by fail2ban.
I used auditctl -w /var/log/phpmyadmin_auth.log -p warx -k phpmyadmin_fail2ban