Filter fail2ban khusus untuk upaya bruteforce phpMyadmin

Dalam pencarian saya untuk memblokir phpMyAdminupaya login gagal yang berlebihan dengan fail2ban, saya telah membuat skrip yang mencatat upaya yang gagal untuk file:/var/log/phpmyadmin_auth.log

Log khusus

Format /var/log/phpmyadmin_auth.logfile adalah:

phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php
phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php

Filter khusus

[Definition]

# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;

Penjara phpMyAdmin

[phpmyadmin]

enabled  = true
port    = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 6

The fail2banlog berisi:

2012-10-04 10:52:22,756 fail2ban.server : INFO   Stopping all jails
2012-10-04 10:52:23,091 fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
2012-10-04 10:52:23,866 fail2ban.jail   : INFO   Jail 'fail2ban' stopped
2012-10-04 10:52:23,994 fail2ban.jail   : INFO   Jail 'ssh' stopped
2012-10-04 10:52:23,994 fail2ban.server : INFO   Exiting Fail2ban
2012-10-04 10:52:24,253 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-10-04 10:52:24,253 fail2ban.jail   : INFO   Creating new jail 'ssh'
2012-10-04 10:52:24,253 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2012-10-04 10:52:24,260 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-10-04 10:52:24,260 fail2ban.filter : INFO   Set maxRetry = 6
2012-10-04 10:52:24,261 fail2ban.filter : INFO   Set findtime = 600
2012-10-04 10:52:24,261 fail2ban.actions: INFO   Set banTime = 600
2012-10-04 10:52:24,279 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2012-10-04 10:52:24,279 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses poller
2012-10-04 10:52:24,279 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-10-04 10:52:24,280 fail2ban.filter : INFO   Set maxRetry = 5
2012-10-04 10:52:24,280 fail2ban.filter : INFO   Set findtime = 600
2012-10-04 10:52:24,280 fail2ban.actions: INFO   Set banTime = 600
2012-10-04 10:52:24,287 fail2ban.jail   : INFO   Creating new jail 'fail2ban'
2012-10-04 10:52:24,287 fail2ban.jail   : INFO   Jail 'fail2ban' uses poller
2012-10-04 10:52:24,287 fail2ban.filter : INFO   Added logfile = /var/log/fail2ban.log
2012-10-04 10:52:24,287 fail2ban.filter : INFO   Set maxRetry = 3
2012-10-04 10:52:24,288 fail2ban.filter : INFO   Set findtime = 604800
2012-10-04 10:52:24,288 fail2ban.actions: INFO   Set banTime = 604800
2012-10-04 10:52:24,292 fail2ban.jail   : INFO   Jail 'ssh' started
2012-10-04 10:52:24,293 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2012-10-04 10:52:24,297 fail2ban.jail   : INFO   Jail 'fail2ban' started

Ketika saya menerbitkan:

sudo service fail2ban restart

fail2banemail yang ingin saya sampaikan sshtelah dimulai kembali, tetapi saya tidak menerima email semacam itu tentang phpmyadminpenjara saya . Login gagal berulang phpMyAdmintidak menyebabkan email dikirim.

Apakah saya melewatkan beberapa pengaturan kritis? Apakah ekspresi reguler filter saya salah?

Perbarui: menambahkan perubahan dari instalasi default

Dimulai dengan fail2baninstalasi yang bersih :

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Ubah alamat email menjadi milik saya, tindakan ke:

action = %(action_mwl)s

Tambahkan yang berikut ke jail.local

[phpmyadmin]

enabled  = true
port     = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 4

Tambahkan yang berikut ke /etc/fail2ban/filter.d/phpmyadmin.conf

# phpmyadmin configuration file
#
# Author: Michael Robinson
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#

# Ignore our own bans, to keep our counts exact.
# In your config, name your jail 'fail2ban', or change this line!
ignoreregex =

Mengulang kembali fail2ban

sudo service fail2ban restart

PS: Saya suka telur

Itu bagus tapi mengapa tidak menggunakan fungsi apache untuk login gagal login?

Tambahkan baris ini ke Apache Config Anda (yaitu: /etc/apache2/conf.d/phpmyadmin.conf) di Bagian VirtualHost yang sesuai:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/apache2/phpmyadmin_access.log pma_combined

Kemudian buat filter fail2ban:

/etc/fail2ban/filter.d/phpmyadmin.conf

[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

Sekarang tambahkan jail ke /etc/fail2ban/jail.local

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.log

Mulai ulang apache dan fail2ban:

service  apache2 reload
service fail2ban reload

dan Anda selesai, tidak perlu skrip php seterusnya ..

1. Anda harus mengubah skrip Anda untuk memasukkan stempel waktu dalam file log. Tanpa ini, fail2ban tidak akan berfungsi

2. gunakan fail2ban-regex /var/log/phpmyadmin_auth.log /etc/fail2ban/filter.d/phpmyadmin.confuntuk memverifikasi regex Anda terlebih dahulu.

3. Saya dapat memulai fail2ban dengan sukses menggunakan konfigurasi asli Anda (sebelum jail.local)

   Oct  7 00:42:07 hostname yum: Installed: python-inotify-0.9.1-1.el5.noarch 
   Oct  7 00:42:08 hostname yum: Installed: fail2ban-0.8.4-29.el5.noarch
   Oct  7 00:42:10 hostname yum: Installed: phpMyAdmin-2.11.11.3-2.el5.noarch
   Oct  7 01:01:03 hostname fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.4
   Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Creating new jail 'phpmyadmin'
   Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' uses Gamin
   Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set maxRetry = 2
   Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set findtime = 600
   Oct  7 01:01:03 hostname fail2ban.actions: INFO   Set banTime = 600
   Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
   Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' uses Gamin
   Oct  7 01:01:03 hostname fail2ban.filter : INFO   Added logfile = /var/log/secure
   Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set maxRetry = 5
   Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set findtime = 600
   Oct  7 01:01:03 hostname fail2ban.actions: INFO   Set banTime = 600
   Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' started
   Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' started
   Oct  7 01:10:54 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' stopped
   Oct  7 01:10:55 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
   Oct  7 01:10:55 hostname fail2ban.server : INFO   Exiting Fail2ban
   Oct  7 01:10:56 hostname fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.4
   Oct  7 01:10:56 hostname fail2ban.jail   : INFO   Creating new jail 'phpmyadmin'
   Oct  7 01:10:56 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' uses Gamin
   Oct  7 01:10:56 hostname fail2ban.filter : INFO   Added logfile = /var/log/phpmyadmin_auth.log
   

4. Setelah regex yang benar ada, Anda dapat menggunakan audit untuk melihat apakah file Anda diakses atau tidak oleh fail2ban.

Saya menggunakan auditctl -w /var/log/phpmyadmin_auth.log -p warx -k phpmyadmin_fail2ban