• This forum has a zero tolerance policy regarding spam. If you register here to publish advertising, your user account will be deleted without further questions.

fail2ban phpmyadmin Filter erstellen

Xep22

Member
hallo,

ich will mit fail2ban mein phpmyadmin Login absichern. Wie ich sehe, stehen die fehlgeschlagenen Logins in /var/log/auth.log :

Code:
Jul  2 16:11:04 root phpMyAdmin[12893]: user denied: root (mysql-denied) from XXX.XX.XXX.XXX

Daher habe ich die Datei /etc/fail2ban/filter.d/phpmyadmin.conf erstellt:

Code:
[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

Den Filter habe ich in die /etc/fail2ban/jail.local hinzugefügt:

Code:
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/auth.log

fail2ban habe ich dann neu gestartet. Doch nach mehreren fehlerhaften Logins passiert nichts, login ist weiterhin möglich. In der fail2ban.log erscheint auch nichts von meinen Logins.

was ist denn falsch?
 
Was nun in deinem Log steht, weiß ich nicht.
Zeig doch mal wie die Zeile in auth.log aussieht, wenn alles passt und wenn es fehlschlägt.
 
Ändere mal die failregex.
failregex = user denied:.*\(?:%(denied)s\) from <HOST>$
//edit: hatte Klammer nicht escaped
Ich muss gestehen, dass ich gerade nicht parat habe wie das non-capture Regex da wirkt. Ich komme immer mit PCRE drucheinaner, also bitte nicht schimpfen ;)
Kann auch sein, dass es so sein muss, ja.
failregex = user denied:.*\((?:%(denied)s)\) from <HOST>$
 
Last edited:
Hast du denn das Regex mal getestet? (siehe Nachtrag #4 oben)

fail2ban-regex '/var/log/auth.log' /etc/fail2ban/filter.d/phpmyadmin.conf
 
Last edited:
Das ergibt das:

Code:
root@root:~# fail2ban-regex '/var/log/auth.log' /etc/fail2ban/filter.d/phpmyadmin.conf

Running tests
=============

Use   failregex filter file : phpmyadmin, basedir: /etc/fail2ban
Use         log file : /var/log/auth.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [8] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 8 lines, 0 ignored, 0 matched, 8 missed
[processed in 0.00 sec]

|- Missed line(s):
|  Jul  2 19:44:31 root sshd[1688]: Invalid user afp from 150.109.XXX.XXX port 40978
|  Jul  2 19:44:31 root sshd[1688]: input_userauth_request: invalid user afp [preauth]
|  Jul  2 19:44:31 root sshd[1688]: pam_unix(sshd:auth): check pass; user unknown
|  Jul  2 19:44:31 root sshd[1688]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=150.109.XXX.XXX
|  Jul  2 19:44:33 root sshd[1688]: Failed password for invalid user afp from 150.109.XXX.XXX port 40978 ssh2
|  Jul  2 19:44:33 root phpMyAdmin[32046]: user denied: root (mysql-denied) from 89.247.XXX.XXX
|  Jul  2 19:44:33 root sshd[1688]: Received disconnect from 150.109.XXX.XXX port 40978:11: Bye Bye [preauth]
|  Jul  2 19:44:33 root sshd[1688]: Disconnected from 150.109.XXX.XXX port 40978 [preauth]
`-
 
Code:
root@s121 ~/tmp # cat phpmyadmin.conf

[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = user denied:.*\((?:%(denied)s)\) from <HOST>$
ignoreregex =
root@s121 ~/tmp # fail2ban-regex --verbose '  Jul  2 19:44:33 root phpMyAdmin[32046]: user denied: root (mysql-denied) from 89.247.XXX.XXX' ./phpmyadmin.conf

Running tests
=============

Use   failregex file : ./phpmyadmin.conf
Use      single line :   Jul  2 19:44:33 root phpMyAdmin[32046]: user den...


Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   1) [2] user denied:.*\((?:mysql-denied|allow-denied|root-denied|empty-denied)\) from <HOST>$
|      52.87.34.244  Thu Jul 02 19:44:33 2020 (multiple regex matched)
|      52.20.76.192  Thu Jul 02 19:44:33 2020 (multiple regex matched)
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
|  [0] {^LN-BEG}(?:DAY )?MON Day ExYear %k:Minute:Second(?:\.Microseconds)?
|  [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) %k:Minute:Second
|  [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
|  [0] {^LN-BEG}Month-Day-ExYear %k:Minute:Second(?:\.Microseconds)?
|  [0] {^LN-BEG}Epoch
|  [0] {^LN-BEG}ExYear2ExMonthExDay  ?24hour:Minute:Second
|  [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
|  [0] {^LN-BEG}ExYearExMonthExDay(?:T|  ?)Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
|  [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [0] {^LN-BEG}TAI64N
|  [0] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
|  [0] (?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [0] (?:DAY )?MON Day ExYear %k:Minute:Second(?:\.Microseconds)?
|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) %k:Minute:Second
|  [0] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] Month/Day/ExYear:24hour:Minute:Second
|  [0] Month-Day-ExYear %k:Minute:Second(?:\.Microseconds)?
|  [0] Epoch
|  [0] {^LN-BEG}24hour:Minute:Second
|  [0] ^<Month/Day/ExYear2@24hour:Minute:Second>
|  [0] ExYear2ExMonthExDay  ?24hour:Minute:Second
|  [0] MON Day, ExYear 12hour:Minute:Second AMPM
|  [0] ^MON-Day-ExYear2 %k:Minute:Second
|  [0] ExYearExMonthExDay(?:T|  ?)Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
|  [0] (?:Zone name )?(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [0] (?:Zone offset )?(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [0] TAI64N
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.01 sec]
 
Also ich habe es auf meinem Debian 9 getestet.

/var/log/auth.log
Code:
Jul  3 11:32:01 servana systemd-logind[378]: New seat seat0.
Jul  3 11:32:01 servana systemd-logind[378]: Watching system buttons on /dev/input/event2 (Power Button)
Jul  3 11:32:01 servana systemd-logind[378]: Watching system buttons on /dev/input/event3 (Sleep Button)
Jul  3 11:32:01 servana systemd-logind[378]: Watching system buttons on /dev/input/event4 (Video Bus)
Jul  3 11:32:03 servana sshd[442]: Server listening on 0.0.0.0 port 22.
Jul  3 11:32:03 servana sshd[442]: Server listening on :: port 22.
Jul  3 11:32:10 servana sshd[442]: Received SIGHUP; restarting.
Jul  3 11:32:10 servana sshd[442]: Server listening on 0.0.0.0 port 22.
Jul  3 11:32:10 servana sshd[442]: Server listening on :: port 22.
Jul  3 11:32:10 servana sshd[442]: Received SIGHUP; restarting.
Jul  3 11:32:10 servana sshd[442]: Server listening on 0.0.0.0 port 22.
Jul  3 11:32:10 servana sshd[442]: Server listening on :: port 22.
Jul  3 11:32:23 servana sshd[811]: Accepted password for root from 192.168.178.21 port 50894 ssh2
Jul  3 11:32:23 servana sshd[811]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul  3 11:32:23 servana systemd-logind[378]: New session 1 of user root.
Jul  3 11:32:23 servana systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jul  3 11:34:07 servana login[425]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jul  3 11:34:07 servana systemd-logind[378]: New session 4 of user root.
Jul  3 11:34:07 servana login[837]: ROOT LOGIN  on '/dev/tty1'
Jul  3 11:34:41 servana systemd-logind[378]: Failed to abandon session scope, ignoring: Connection reset by peer
Jul  3 11:35:00 servana systemd-logind[388]: New seat seat0.
Jul  3 11:35:00 servana systemd-logind[388]: Watching system buttons on /dev/input/event2 (Power Button)
Jul  3 11:35:00 servana systemd-logind[388]: Watching system buttons on /dev/input/event3 (Sleep Button)
Jul  3 11:35:00 servana systemd-logind[388]: Watching system buttons on /dev/input/event4 (Video Bus)
Jul  3 11:35:06 servana sshd[589]: Server listening on 0.0.0.0 port 22.
Jul  3 11:35:06 servana sshd[589]: Server listening on :: port 22.
Jul  3 11:35:07 servana sshd[589]: Received SIGHUP; restarting.
Jul  3 11:35:07 servana sshd[589]: Server listening on 0.0.0.0 port 22.
Jul  3 11:35:07 servana sshd[589]: Server listening on :: port 22.
Jul  3 11:35:15 servana login[427]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jul  3 11:35:15 servana systemd-logind[388]: New session 1 of user root.
Jul  3 11:35:15 servana systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jul  3 11:35:15 servana login[823]: ROOT LOGIN  on '/dev/tty1'
Jul  3 11:35:40 servana sshd[832]: Accepted password for root from 192.168.178.21 port 50899 ssh2
Jul  3 11:35:40 servana sshd[832]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul  3 11:35:40 servana systemd-logind[388]: New session 3 of user root.
Jul  3 11:36:23 servana phpMyAdmin[32046]: user denied: root (mysql-denied) from 89.247.111.123
Jul  3 11:36:24 servana phpMyAdmin[32046]: user denied: root (mysql-denied) from 89.247.111.123
Jul  3 11:36:25 servana phpMyAdmin[32046]: user denied: root (mysql-denied) from 89.247.111.123
Jul  3 11:36:26 servana phpMyAdmin[32046]: user denied: root (mysql-denied) from 89.247.111.123
Jul  3 11:36:27 servana phpMyAdmin[32046]: user denied: root (mysql-denied) from 89.247.111.123
Jul  3 11:36:36 servana phpMyAdmin[32046]: user denied: root (mysql-denied) from 89.247.111.123
Jul  3 11:36:29 servana phpMyAdmin[32046]: user denied: root (mysql-denied) from 89.247.111.123

/etc/fail2ban/filter.d/phpmyadmin.conf
Code:
[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = user denied: .* \((?:%(denied)s)\) from <HOST>
ignoreregex =

/etc/fail2ban/jail.local
Code:
#

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/auth.log
maxretry = 3

-------------
Abfrage des Status:
Code:
Status for the jail: phpmyadmin
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    0
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned:    1
   |- Total banned:    1
   `- Banned IP list:    89.247.111.123

Wie zu sehen klappt es bei mir.
 
Back
Top