Hi, I'm trying to configure fail2ban to protect my server. Apache with Phpmyadmin i have make a new filter. for phpmyadmin first files : Code: sudo nano /etc/fail2ban/filter.d/apache-phpmyadmin.conf Code: # Fail2Ban configuration file # Bans bots scanning for non-existing phpMyAdmin installations on your webhost. # [Definition] # Option: failregex # Notes.: Regexp to match often probed and not available phpmyadmin paths. # Values: TEXT # failregex = [[]client <HOST>[]] File does not exist: .*(PMA|phpmyadmin|phpMyAdmin|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = And i enabled the filter in Jail.local Code: [apache-phpmyadmin] enabled = true port = http,https filter = apache-phpmyadmin logpath = /var/log/apache*/*error*.log /var/www/clients/client1/web4/log/*error*.log maxretry = 3 bantime = 86400 First of all, i see that error.log don't log bad access. for example i try to access to IP//myadmin which result to a 404 not found. nevertheless, In access.log i can found : so why my apache don't log URL that give 404 not found ? or perhaps there is an other logging files with ispconfig ?
It did log both the url (/myadmin) and the 'not allowed' (404 code), as you pasted from the access.log. Access messages, whether access was allowed or denied or otherwise (redirected, etc.) go to the access.log, not the error.log, so you could start with changing your jail entry to use that and see where you get. The regex in the filter you have doesn't work for that, as it requires the string 'File does not exist'. In a bit of checking on Debian apache servers, I don't see that string present in access.log or error.log; my guess is the filter matches the logs of a different web server (nginx?), or at minimum a different OS (non-debian) with different log format. If it helps, here is what I have related to phpmyadmin on Debian 10. You need multiple jails, the one you were working at catches scans for phpmyadmin installations (ie. people trying to find/guess at your install - clearly bad), but it does not catch when people/bots are accessing the actual, correct path and trying to login; for that you need phpmyadmin logging failed logins, and another jail to catch those. In Debian, phpmyamin will log to syslog out of the box, and a 'phpmyadmin-syslog' filter to match failed logins is provided in the fail2ban package. I use multiple jails with increasing time lengths and ban lengths, so that an occasional legitimate user who might hit the first (5 failed logins in 60 seconds) will get another chance soon, where clearly abusive numbers get a long block. For scans for the phpmyadmin install I create a custom phpmyadmin.local you could use or build upon. Excerpt from /etc/fail2ban/jail.local: Code: [phpmyadmin] enabled = true port = http,https logpath = %(apache_access_log)s /var/www/clients/client*/web*/log/access.log maxretry = 3 findtime = 600 bantime = 3600 [phpmyadmin-syslog] enabled = true port = http,https maxretry = 5 findtime = 60 bantime = 300 [phpmyadmin-syslog-10m] enabled = true filter = phpmyadmin-syslog port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s maxretry = 12 findtime = 600 bantime = 3600 [phpmyadmin-syslog-6h] enabled = true filter = phpmyadmin-syslog port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s maxretry = 30 findtime = 21600 bantime = 86400 /etc/fail2ban/filter.d/phpmyadmin-syslog.conf exists from the debian package, but for completeness, here it is: Code: # Fail2Ban fitler for the phpMyAdmin-syslog # [INCLUDES] before = common.conf [Definition] _daemon = phpMyAdmin failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from <HOST>\s*$ ignoreregex = # Author: Pavel Mihadyuk # Regex fixes: Serg G. Brester And this is /etc/fail2ban/filter.d/phpmyadmin.local: Code: # Fail2ban config file for phpmyadmin filter # # Author: Jesse Norell # [Definition] # in practice the scans all appear to end in /scripts/setup.php, # you can restrict to that if you wish pmare1 = (php-?(my-?)?(sql-?)?(admin|db|manager?)) pmare2 = ((php-?)?my-?(sql-?)?(admin|db|manager?)) pmare3 = ((php-?)(my-?)?sql-?(admin|db|manager?)) pmare4 = (web-?(admin-?)?(sql-?)?(db)?|pma) pmare5 = (web|xampp)/(%(pmare1)s|%(pmare2)s|%(pmare3)s) pmare6 = (phpmyadmin[^/]|.+/plugins/portable-phpmyadmin) pmaregex = (?i)/?((%(pmare1)s|%(pmare2)s|%(pmare3)s|%(pmare4)s|%(pmare5)s)/scripts/setup.php|%(pmare6)s) failregex = ^[^ ]* <HOST> .*"(GET|POST) /(?:%(pmaregex)s)[^"]*" [34] # ignore legitimate phpmyadmin requests if you use it, # eg. on an ISPConfig server that is (lowercase) /phpmyadmin # and ignore any local /admin redirects # disallowed paths (appended to /phpmyadmin/) pmabadreq = scripts/setup.php ignoreregex = ^.* "(GET|POST) /phpmyadmin/(?!%(pmabadreq)s) ^.* "GET /phpmyadmin HTTP/.\.." 3 ^.* "GET /admin/? HTTP/.\.." 3
