用于 phpMyadmin 暴力尝试的自定义 fail2ban 过滤器

Question

用于 phpMyadmin 暴力尝试的自定义 fail2ban 过滤器

Mic*_*son 10 security configuration fail2ban

为了阻止过多的失败phpMyAdmin登录尝试fail2ban，我创建了一个脚本来记录对文件的失败尝试：/var/log/phpmyadmin_auth.log

自定义日志

/var/log/phpmyadmin_auth.log文件格式为：

phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php
phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php

Run Code Online (Sandbox Code Playgroud)

自定义过滤器

[Definition]

# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;

Run Code Online (Sandbox Code Playgroud)

phpMyAdmin 监狱

[phpmyadmin]

enabled  = true
port    = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 6

Run Code Online (Sandbox Code Playgroud)

该fail2ban日志包含：

2012-10-04 10:52:22,756 fail2ban.server : INFO   Stopping all jails
2012-10-04 10:52:23,091 fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
2012-10-04 10:52:23,866 fail2ban.jail   : INFO   Jail 'fail2ban' stopped
2012-10-04 10:52:23,994 fail2ban.jail   : INFO   Jail 'ssh' stopped
2012-10-04 10:52:23,994 fail2ban.server : INFO   Exiting Fail2ban
2012-10-04 10:52:24,253 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-10-04 10:52:24,253 fail2ban.jail   : INFO   Creating new jail 'ssh'
2012-10-04 10:52:24,253 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2012-10-04 10:52:24,260 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-10-04 10:52:24,260 fail2ban.filter : INFO   Set maxRetry = 6
2012-10-04 10:52:24,261 fail2ban.filter : INFO   Set findtime = 600
2012-10-04 10:52:24,261 fail2ban.actions: INFO   Set banTime = 600
2012-10-04 10:52:24,279 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2012-10-04 10:52:24,279 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses poller
2012-10-04 10:52:24,279 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-10-04 10:52:24,280 fail2ban.filter : INFO   Set maxRetry = 5
2012-10-04 10:52:24,280 fail2ban.filter : INFO   Set findtime = 600
2012-10-04 10:52:24,280 fail2ban.actions: INFO   Set banTime = 600
2012-10-04 10:52:24,287 fail2ban.jail   : INFO   Creating new jail 'fail2ban'
2012-10-04 10:52:24,287 fail2ban.jail   : INFO   Jail 'fail2ban' uses poller
2012-10-04 10:52:24,287 fail2ban.filter : INFO   Added logfile = /var/log/fail2ban.log
2012-10-04 10:52:24,287 fail2ban.filter : INFO   Set maxRetry = 3
2012-10-04 10:52:24,288 fail2ban.filter : INFO   Set findtime = 604800
2012-10-04 10:52:24,288 fail2ban.actions: INFO   Set banTime = 604800
2012-10-04 10:52:24,292 fail2ban.jail   : INFO   Jail 'ssh' started
2012-10-04 10:52:24,293 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2012-10-04 10:52:24,297 fail2ban.jail   : INFO   Jail 'fail2ban' started

Run Code Online (Sandbox Code Playgroud)

当我发出：

sudo service fail2ban restart

Run Code Online (Sandbox Code Playgroud)

fail2ban给我发电子邮件说ssh已经重新启动，但我没有收到关于我的phpmyadmin监狱的电子邮件。重复登录失败phpMyAdmin不会导致发送电子邮件。

我是否错过了一些关键设置？我的过滤器的正则表达式有错吗？

更新：添加了默认安装的更改

从全新fail2ban安装开始：

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

将电子邮件地址更改为我自己的，操作为：

action = %(action_mwl)s

Run Code Online (Sandbox Code Playgroud)

将以下内容附加到 jail.local

[phpmyadmin]

enabled  = true
port     = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 4

Run Code Online (Sandbox Code Playgroud)

将以下内容添加到 /etc/fail2ban/filter.d/phpmyadmin.conf

# phpmyadmin configuration file
#
# Author: Michael Robinson
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#

# Ignore our own bans, to keep our counts exact.
# In your config, name your jail 'fail2ban', or change this line!
ignoreregex =

Run Code Online (Sandbox Code Playgroud)

重新开始 fail2ban

sudo service fail2ban restart

Run Code Online (Sandbox Code Playgroud)

PS：我喜欢鸡蛋

Answer 1

spa*_*ker 9

这很好，但为什么不使用 apache 功能来记录失败的登录？

将这些行添加到相应的 VirtualHost 部分中的 Apache 配置（即：/etc/apache2/conf.d/phpmyadmin.conf）：

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/apache2/phpmyadmin_access.log pma_combined

Run Code Online (Sandbox Code Playgroud)

然后创建fail2ban过滤器：

/etc/fail2ban/filter.d/phpmyadmin.conf

[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

Run Code Online (Sandbox Code Playgroud)

现在将监狱添加到 /etc/fail2ban/jail.local

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.log

Run Code Online (Sandbox Code Playgroud)

重启apache和fail2ban：

service  apache2 reload
service fail2ban reload

Run Code Online (Sandbox Code Playgroud)

你就完成了，不需要 php 脚本等等..

请不要直接编辑`jail.conf`，而是创建一个副本`jail.local` (3认同)

归档时间：	13 年，1 月前
查看次数：	22557 次
最近记录：	8 年，11 月前