Fail2ban jail for phpMyAdmin

Support
21

sorry! :wink:
I don’t know why putty doesn’t do anything when I write “|”


the output is [root@localhost ~ ]# rpm -qa |grep -i fail2ban fail2ban-server-0.9.6-3.el7.noarch fail2ban-sendmail-0.9.6-3.el7.noarch fail2ban-firewalld-0.9.6-3.el7.noarch fail2ban-0.9.6-3.el7.noarch nethserver-fail2ban-0.1.7-1.ns7.sdl.noarch fail2ban-shorewall-0.9.6-3.el7.noarch
On NS6: [root@localhost ~ ]# rpm -qa |grep -i fail2ban nethserver-fail2ban-0.0.9-1.ns6.sdl.noarch fail2ban-0.9.6-1.el6.1.noarch

Completely strange!!! On NS6, the phpmyadmin jail ban me (at least with disabled multiaccess mode) despite the failing rpms (or is this usual on NS6?).
And do you have any idea why the rpms only show up when using rpm -qa |grep -i fail2ban and not when using rpm -qa fail2ban? And why there is no fail2ban-regex available in NS7?
On NS6, there is a fail2ban-regex

2.PNG719×45 1.14 KB

and the output of fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/phpmyadmin.conf is (in NS6)
Unbenannt.PNG717×372 3.69 KB

Any suggestions?

22

Use Linux, the best antivirus for window

23

The bug is always between the keyboard and the chair, the correct syntax is
rpm -qa *fail2ban*

24

on ns7, does other jails are workable ?

yum clean all --enablerepo=*
yum reinstall fail2ban-server fail2ban-shorewall fail2ban-sendmail fail2ban-firewalld nethserver-fail2ban fail2ban

whereis fail2ban-regex

25

[quote=“stephdl, post:23, topic:5997”]
rpm -qa fail2ban
[/quote][root@localhost yum.repos.d]# rpm -qa *fail2ban* fail2ban-server-0.9.6-3.el7.noarch fail2ban-sendmail-0.9.6-3.el7.noarch fail2ban-firewalld-0.9.6-3.el7.noarch fail2ban-0.9.6-3.el7.noarch nethserver-fail2ban-0.1.7-1.ns7.sdl.noarch fail2ban-shorewall-0.9.6-3.el7.noarch

[quote=“stephdl, post:24, topic:5997”]
on ns7, does other jails are workable ?
[/quote]No, and I recognized that the service was not running and couldn’t be started (I looked at the journalctl -xe which said that some file of the shorewall didn’t exist - I guess it was shorewall.loc, however not sure anymore (not shorewall.log))


Hence, I decided to reinstall fail2ban as you said


Now, it is running and the other jails seem to work (I tested especially apache-auth).

And now there is also fail2ban-regex!

[quote=“stephdl, post:24, topic:5997”]
whereis fail2ban-regex
[/quote]fail2ban-regex: /usr/bin/fail2ban-regex /usr/share/man/man1/fail2ban-regex.1.gz
and the output of [quote=“stephdl, post:10, topic:5997”]
fail2ban-regex /var/log/httpd/ssl_access_log /etc/fail2ban/filter.d/phpmyadmin.conf
[/quote] `
Running tests

Use failregex filter file : phpmyadmin, basedir: /etc/fail2ban
Use log file : /var/log/httpd/ssl_access_log
Use encoding : UTF-8

Results

Failregex: 10 total
|- #) [# of hits] regular expression
| 1) [10] ^.-.-.[.*] “POST /phpmyadmin/index.php HTTP/1.1” 200
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [23] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:.Microseconds)?(?: Zone offset)?
`-

Lines: 23 lines, 0 ignored, 10 matched, 13 missed
[processed in 0.00 sec]

|- Missed line(s):
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/ HTTP/1.1” 200 2925
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/themes/pmahomme/jquery/jquery-ui-1.11.2.css HTTP/1.1” 200 35212
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/phpmyadmin.css.php?nocache=4459739948ltr HTTP/1.1” 200 21402
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/js/whitelist.php?lang=de&db=&token=42d8d2fa2b7044ceffdf7e4f7ab089d8 HTTP/1.1” 200 498
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/js/get_scripts.js.php?scripts%5B%5D=jquery/jquery-1.11.1.min.js&scripts%5B%5D=sprintf.js&scripts%5B%5D=ajax.js&scripts%5B%5D=keyhandler.js&scripts%5B%5D=jquery/jquery-ui-1.11.2.min.js&scripts%5B%5D=jquery/jquery.cookie.js&scripts%5B%5D=jquery/jquery.mousewheel.js&scripts%5B%5D=jquery/jquery.event.drag-2.2.js&scripts%5B%5D=jquery/jquery-ui-timepicker-addon.js&scripts%5B%5D=jquery/jquery.ba-hashchange-1.3.js HTTP/1.1” 200 139591
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/js/get_scripts.js.php?scripts%5B%5D=jquery/jquery.debounce-1.0.5.js&scripts%5B%5D=menu-resizer.js&scripts%5B%5D=cross_framing_protection.js&scripts%5B%5D=rte.js&scripts%5B%5D=tracekit/tracekit.js&scripts%5B%5D=error_report.js&scripts%5B%5D=doclinks.js&scripts%5B%5D=functions.js&scripts%5B%5D=navigation.js&scripts%5B%5D=indexes.js HTTP/1.1” 200 76681
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/js/get_scripts.js.php?scripts%5B%5D=common.js&scripts%5B%5D=codemirror/lib/codemirror.js&scripts%5B%5D=codemirror/mode/sql/sql.js&scripts%5B%5D=codemirror/addon/runmode/runmode.js&scripts%5B%5D=codemirror/addon/hint/show-hint.js&scripts%5B%5D=codemirror/addon/hint/sql-hint.js&scripts%5B%5D=console.js HTTP/1.1” 200 117005
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/js/messages.php?lang=de&db=&token=42d8d2fa2b7044ceffdf7e4f7ab089d8 HTTP/1.1” 200 8557
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/js/get_image.js.php?theme=pmahomme HTTP/1.1” 200 1833
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/themes/pmahomme/img/logo_right.png HTTP/1.1” 200 4548
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/themes/dot.gif HTTP/1.1” 200 43
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/favicon.ico HTTP/1.1” 200 18902
| 192.168.2.103 - - [12/Mar/2017:19:18:20 +0100] “GET /phpmyadmin/themes/pmahomme/img/sprites.png HTTP/1.1” 200 46795
-

However, it doesn’t ban me


26

curious, it matched 10 times :slight_smile: so the rule is good

please, what it is the output
[root@NS7DEV6 ~]# config show fail2ban

[root@NS7DEV6 ~]# systemctl status fail2ban

27

[quote=“stephdl, post:26, topic:5997”]
config show fail2ban
[/quote][root@localhost ~]# config show fail2ban fail2ban=service ApacheAuth_status=true ApacheBadbots_status=true ApacheBotsearch_status=true ApacheFakegooglebot_status=true ApacheModsecurity_status=true ApacheNohome_status=true ApacheNoscript_status=true ApacheOverflows_status=true ApachePhpMyAdmin_status=true ApacheScan_status=true ApacheShellshock_status=true BanAction=shorewall BanLocalNetwork=enabled BanTime=600 CustomDestemail= Dovecot_status=true EjabberAuth_status=true FindTime=3600 HttpdAdmin_status=true IgnoreIP= LogLevel=INFO Mail=disabled MaxRetry=2 MysqldAuth_status=true Nextcloud_status=true NginxBotSearch_status=true NginxHttpAuth_status=true Owncloud_status=true PamGeneric_status=true PostfixRbl_status=true Postfix_status=true Recidive_status=true Roundcube_status=true Sieve_status=true SogoAuth_status=true SshdDdos_status=true Sshd_status=true Urbackup_status=true Vsftpd_status=true status=enabled

[quote=“stephdl, post:26, topic:5997”]
systemctl status fail2ban
[/quote]`
[root@localhost ~]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2017-03-12 19:15:24 CET; 4h 11min ago
Docs: man:fail2ban(1)
Main PID: 23791 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─23791 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Mar 12 19:15:24 localhost.test.loc systemd[1]: Starting Fail2Ban Service

Mar 12 19:15:24 localhost.test.loc fail2ban-client[23788]: 2017-03-12 19:15:24,458 fail2ban.server [23789]: INFO Starting Fai
v0.9.6
Mar 12 19:15:24 localhost.test.loc fail2ban-client[23788]: 2017-03-12 19:15:24,458 fail2ban.server [23789]: INFO Starting in 
n mode
Mar 12 19:15:24 localhost.test.loc systemd[1]: Started Fail2Ban Service.
Hint: Some lines were ellipsized, use -l to show in full. `

28

now the best bet is to look in the fail2ban log during you try to ban your client

tip
use : tailf /var/log/fail2ban.log

you can adjust your log level in the panel, definitively it is an issue on your side.