Fail2ban jail for phpMyAdmin

I just wanted to create a custom jail in nethserver-fail2ban for nethserver-phpmyadmin (both by @stephdl).

However I cannot find any log file of phpMyAdmin. Where does phpMyAdmin save its authentication logs?
I want to set the maxrentry variable of the jail to 2, that’s why I don’t want to use only the http jail…
perhaps, it would be interesting to introduce such a jail in a future version of fail2ban…

Yep…it is a really good idea.

did you ever try to ban yourself from the phpmyadmin login page (allow the ban on your local network)

If the httpd official jail doesn’t do it, then go to /var/log/httpd/ssl_access.log and catch the lines of failing attemps

1 Like

for ns6

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-phpmyadmin/nethserver-fail2ban-0.0.9-1.ns6.sdl.noarch.rpm

please try to ban yourself on your lan

for ns7

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-phpmyadmin/nethserver-fail2ban-0.1.7-1.ns7.sdl.noarch.rpm

Thank you!!!
Unfortunately, it doesn’t ban me… ban on lan is enabled and I adapted the url (since I use another alias than phpMyAdmin for accessing phpMyAdmin) in the phpMyAdmin filter…
do I have to replace it in another file as well?

The jail is enabled.
the result of fail2ban-client status phpmyadmin Status for the jail: phpmyadmin |- Filter | |- Currently failed: 0 | |- Total failed: 0 |- File list: /var/log/httpd/ssl_access_log-20170219 /var/log/httpd/ssl_access_log-20170227 /var/log/httpd/access_log /var/log/httpd/access_log-20170219 /var/log/httpd/access_log-20170227 /var/log/httpd/ssl_access_log
- Actions |- Currently banned: 0 |- Total banned: 0- Banned IP list:

In the /var/log/httpd/ssl_access_log my attempts are shown as:
"POST /ppppp/index.php HTTP/1.1" 200 2983
of course, this message appears several times in the log file…
This is exactly the thing for which the filter is looking for… or does the number at the end play any role?
I don’t know…!
btw, I use ns7

yes you should adapt in /etc/fail2ban/filter.d/phpmyadmin.conf

with fail2ban enabled, you could probably uses the default alias, or we can do a nfr:
-set a web modifiable alias
-templatise the filter following the alias

can you test the default jail in a VM for ns6 and ns7 please

1 Like

did you allow the ban on the lan (uncheck the box in the panel) ?
Else give me the last lines when the login is refused in /var/log/httpd/ssl_access_log

tailf /var/log/httpd/ssl_access_log

@phonon112358 please answer here

sorry for the delay…!
The jail works in Nethserver 6 when using phpMyAdmin without multiaccess. however, one has to disabled the apache-auth and the recidive jails (or set the maxrentry value of these jails higher than the one of the phpMyAdmin jail, otherwise one is banned by them before :wink: ).

in Nethserver 7 the phpMyAdmin jail doesn’t ban me at all… here are the last login attempts as logged in the /var/log/httpd/ssl_access_log:
# tailf /var/log/httpd/ssl_access_log
192.168.2.103 - - [08/Mar/2017:16:33:49 +0100] "GET /phpmyadmin/themes/pmahomme/img/sprites.png HTTP/1.1" 200 46795 192.168.2.103 - - [08/Mar/2017:16:33:49 +0100] "GET /phpmyadmin/favicon.ico HTTP/1.1" 200 18902 192.168.2.103 - - [08/Mar/2017:16:34:12 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 2978 192.168.2.103 - - [08/Mar/2017:16:34:18 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 2978 192.168.2.103 - - [08/Mar/2017:16:34:27 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 2978 192.168.2.103 - - [08/Mar/2017:16:34:33 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 2978 192.168.2.103 - - [08/Mar/2017:16:34:42 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 2978 192.168.2.103 - - [08/Mar/2017:16:34:51 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 2990 192.168.2.103 - - [08/Mar/2017:16:34:52 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 2990 192.168.2.103 - - [08/Mar/2017:16:35:06 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 2979
I don’t know why it doesn’t work… of course, I have enabled the “bans from LAN” option and set the maxrentry variable to 2 in the panel/module…

For the multiaccess mode in Nethserver 6, one would probably have to adapt the file /etc/fail2ban/filter.d/phpmyadmin.conf which I have not tested yet since my virtual box with Nethserver 6 is incredibly slow (probably I have chosen wrong network settings…).

EDIT: I have had a look into the /etc/fail2ban/filter.d/phpmyadmin.conf file and saw that the multiaccess mode seems to be covered already by the default jail…
However, it doesn’t ban me… Here some of my failed login attempts as logged in the /var/log/httpd/access_log file:[08/Mar/2017:16:52:01 +0100] "GET /phpmyadmin-multi/themes/pmahomme/img/input_bg.gif HTTP/1.1" 200 170 "https://192.168.1.1/phpmyadmin-multi/phpmyadmin.css.php?server=1&lang=de&collation_connection=utf8_general_ci&token=c5fb47d3bce7f6c8ea7d4ff7d765398c&js_frame=right&nocache=4239003750" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:52:32 +0100] "POST /phpmyadmin-multi/index.php HTTP/1.1" 302 - "https://192.168.1.1/phpmyadmin-multi/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:52:32 +0100] "GET /phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c HTTP/1.1" 200 6783 "https://192.168.1.1/phpmyadmin-multi/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:52:32 +0100] "GET /phpmyadmin-multi/phpmyadmin.css.php?server=1&token=c5fb47d3bce7f6c8ea7d4ff7d765398c&js_frame=right&nocache=4239003750 HTTP/1.1" 200 82340 "https://192.168.1.1/phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:52:32 +0100] "GET /phpmyadmin-multi/js/messages.php?lang=de&db=&token=c5fb47d3bce7f6c8ea7d4ff7d765398c HTTP/1.1" 200 18336 "https://192.168.1.1/phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:52:32 +0100] "GET /phpmyadmin-multi/themes/pmahomme/img/s_error.png HTTP/1.1" 200 664 "https://192.168.1.1/phpmyadmin-multi/phpmyadmin.css.php?server=1&token=c5fb47d3bce7f6c8ea7d4ff7d765398c&js_frame=right&nocache=4239003750" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:52:49 +0100] "POST /phpmyadmin-multi/index.php HTTP/1.1" 302 - "https://192.168.1.1/phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:52:49 +0100] "GET /phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c HTTP/1.1" 200 6783 "https://192.168.1.1/phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:52:57 +0100] "POST /phpmyadmin-multi/index.php HTTP/1.1" 302 - "https://192.168.1.1/phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:52:57 +0100] "GET /phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c HTTP/1.1" 200 6783 "https://192.168.1.1/phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:53:05 +0100] "POST /phpmyadmin-multi/index.php HTTP/1.1" 302 - "https://192.168.1.1/phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:53:05 +0100] "GET /phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c HTTP/1.1" 200 6783 "https://192.168.1.1/phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:53:17 +0100] "POST /phpmyadmin-multi/index.php HTTP/1.1" 302 - "https://192.168.1.1/phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.1.10 - - [08/Mar/2017:16:53:18 +0100] "GET /phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c HTTP/1.1" 200 6783 "https://192.168.1.1/phpmyadmin-multi/index.php?token=c5fb47d3bce7f6c8ea7d4ff7d765398c" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0

I left the /etc/fail2ban/filter.d/phpmyadmin.conf file untouched:
` [Definition]
#this filter is made against brute force attack to phpmyadmin
# Author Stephane de Labrusse stephdl@de-labrusse.fr

failregex =^.-..[.] “POST /phpmyadmin/index.php HTTP/1.1” 200
^.-..[.] “POST /phpmyadmin-multi/index.php HTTP/1.1” 200
^.-..[.] “GET /phpmyadmin HTTP/1.1” 401

ignoreregex =`

Ola
It does work for me on NS7

what is the ouput of

fail2ban-regex /var/log/httpd/ssl_access_log /etc/fail2ban/filter.d/phpmyadmin.conf

you are saying that the multi-acces jail doesn’t work because the apache jail shhot first ?

Same for ns6, I’m banned by the server on url/phpmyadmin or url/phpmyadmin-multi

you can see which jail has been activated by

fail2ban-listban

Somehow, there seems to be no fail2ban-regex command in my (pretty) fresh Nethserver 7 installation:ail2ban-regex /var/log/httpd/ssl_access_log /etc/fail2ban/filter.d/phpmyadmin.conf -bash: fail2ban-regex: command not found
fail2ban is however running: config show fail2ban fail2ban=service ApacheAuth_status=false ApacheBadbots_status=true ApacheBotsearch_status=false ApacheFakegooglebot_status=true ApacheModsecurity_status=false ApacheNohome_status=true ApacheNoscript_status=true ApacheOverflows_status=true ApachePhpMyAdmin_status=true ApacheScan_status=true ApacheShellshock_status=true BanAction=shorewall BanLocalNetwork=enabled BanTime=600 CustomDestemail= Dovecot_status=true EjabberAuth_status=true FindTime=3600 HttpdAdmin_status=true IgnoreIP= LogLevel=INFO Mail=disabled MaxRetry=2 MysqldAuth_status=true Nextcloud_status=true NginxBotSearch_status=true NginxHttpAuth_status=true Owncloud_status=true PamGeneric_status=true PostfixRbl_status=true Postfix_status=true Recidive_status=true Roundcube_status=true Sieve_status=true SogoAuth_status=true SshdDdos_status=true Sshd_status=true Urbackup_status=true Vsftpd_status=true status=enabled

On Nethserver 6 (when enabling multiaccess mode in phpMyAdmin), I am not banned at all when trying to login to phpMyAdmin (neither by one of the apache jails nor by the phpmyadmin jail)… Similar as in Nethserver 7…

plese, do and report

[root@NS7DEV6 ~]# rpm -qa fail2ban
fail2ban-shorewall-0.9.6-3.el7.noarch
fail2ban-server-0.9.6-3.el7.noarch
fail2ban-sendmail-0.9.6-3.el7.noarch
fail2ban-firewalld-0.9.6-3.el7.noarch
nethserver-fail2ban-0.1.7-1.ns7.sdl.noarch
fail2ban-0.9.6-3.el7.noarch

[root@NS7DEV6 ~]# whereis fail2ban-regex
fail2ban-regex: /usr/bin/fail2ban-regex /usr/share/man/man1/fail2ban-regex.1.gz

[quote=“stephdl, post:14, topic:5997”]
rpm -qa fail2ban
[/quote][root@localhost ~ ]# rpm -qa fail2ban fail2ban-0.9.6-3.el7.noarch

[quote=“stephdl, post:14, topic:5997”]
whereis fail2ban-regex
[/quote][root@localhost ~ ]# whereis fail2ban-regex fail2ban-regex:[root@localhost ~ ]#
No more output…! :frowning:

you miss a lot of rpm :-?

what is the output of
rpm -qa |grep -i fail2ban

do it on ns6 and ns7 please

on NS7:`
root@localhost src]# rpm -qa grep -i fail2ban
Name : fail2ban
Version : 0.9.6
Release : 3.el7
Architecture: noarch
Install Date: Sat 04 Mar 2017 02:19:26 AM CET
Group : Unspecified
Size : 0
License : GPLv2+
Signature : RSA/SHA256, Thu 16 Feb 2017 11:25:42 AM CET, Key ID 6a2faea2352c64e5
Source RPM : fail2ban-0.9.6-3.el7.src.rpm
Build Date : Wed 15 Feb 2017 07:38:33 PM CET
Build Host : buildvm-03.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : http://fail2ban.sourceforge.net/
Summary : Daemon to ban hosts that cause multiple authentication errors
Description :
Fail2Ban scans log files and bans IP addresses that makes too many password
failures. It updates firewall rules to reject the IP address. These rules can
be defined by the user. Fail2Ban can read multiple log files such as sshd or
Apache web server ones.

Fail2Ban is able to reduce the rate of incorrect authentications attempts
however it cannot eliminate the risk that weak authentication presents.
Configure services to use only two factor or public/private authentication
mechanisms if you really want to protect services.

This is a meta-package that will install the default configuration.

`

Followed by the description of grep…

on NS6 it gives me approximately the same output…
I can’t copy it out of the virtual box and cannot access the virtual box via putty (which is no problem for NS7) due to the network misconfiguration mentioned earlier… however it is rather the same output (even shorter).

no additional rpm are shown…

sorry

you forget the ‘|’

please output

rpm -qa |grep -i fail2ban

should I reinstall fail2ban?

please answer to my question first. I recall something similar with transmission, the issues ended when I wrote all dependencies in the spec. Strange