为了阻止过多的phpMyAdmin登录失败尝试fail2ban,我创建了一个脚本,将上述失败尝试记录到文件中:/var/log/phpmyadmin_auth.log
自定义日志
该文件的格式/var/log/phpmyadmin_auth.log为:
phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php
phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php
自定义过滤器
[Definition]
# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;
phpMyAdmin 监狱
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
action = sendmail-whois[name=HTTP]
logpath = /var/log/phpmyadmin_auth.log
maxretry = 6
日志fail2ban内容如下:
2012-10-04 10:52:22,756 fail2ban.server : INFO Stopping all jails
2012-10-04 10:52:23,091 fail2ban.jail : INFO Jail 'ssh-iptables' stopped
2012-10-04 10:52:23,866 fail2ban.jail : INFO Jail 'fail2ban' stopped
2012-10-04 10:52:23,994 fail2ban.jail : INFO Jail 'ssh' stopped
2012-10-04 10:52:23,994 fail2ban.server : INFO Exiting Fail2ban
2012-10-04 10:52:24,253 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-10-04 10:52:24,253 fail2ban.jail : INFO Creating new jail 'ssh'
2012-10-04 10:52:24,253 fail2ban.jail : INFO Jail 'ssh' uses poller
2012-10-04 10:52:24,260 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-10-04 10:52:24,260 fail2ban.filter : INFO Set maxRetry = 6
2012-10-04 10:52:24,261 fail2ban.filter : INFO Set findtime = 600
2012-10-04 10:52:24,261 fail2ban.actions: INFO Set banTime = 600
2012-10-04 10:52:24,279 fail2ban.jail : INFO Creating new jail 'ssh-iptables'
2012-10-04 10:52:24,279 fail2ban.jail : INFO Jail 'ssh-iptables' uses poller
2012-10-04 10:52:24,279 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-10-04 10:52:24,280 fail2ban.filter : INFO Set maxRetry = 5
2012-10-04 10:52:24,280 fail2ban.filter : INFO Set findtime = 600
2012-10-04 10:52:24,280 fail2ban.actions: INFO Set banTime = 600
2012-10-04 10:52:24,287 fail2ban.jail : INFO Creating new jail 'fail2ban'
2012-10-04 10:52:24,287 fail2ban.jail : INFO Jail 'fail2ban' uses poller
2012-10-04 10:52:24,287 fail2ban.filter : INFO Added logfile = /var/log/fail2ban.log
2012-10-04 10:52:24,287 fail2ban.filter : INFO Set maxRetry = 3
2012-10-04 10:52:24,288 fail2ban.filter : INFO Set findtime = 604800
2012-10-04 10:52:24,288 fail2ban.actions: INFO Set banTime = 604800
2012-10-04 10:52:24,292 fail2ban.jail : INFO Jail 'ssh' started
2012-10-04 10:52:24,293 fail2ban.jail : INFO Jail 'ssh-iptables' started
2012-10-04 10:52:24,297 fail2ban.jail : INFO Jail 'fail2ban' started
当我发出:
sudo service fail2ban restart
fail2ban给我发邮件说ssh已重新启动,但我没有收到有关我的phpmyadminjail 的电子邮件。多次登录失败phpMyAdmin不会导致发送电子邮件。
我是否遗漏了一些关键设置?我的过滤器的正则表达式是否错误?
更新:添加了默认安装的更改
从全新fail2ban安装开始:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
将邮箱地址改为我自己的,操作为:
action = %(action_mwl)s
将以下内容附加到jail.local
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
action = sendmail-whois[name=HTTP]
logpath = /var/log/phpmyadmin_auth.log
maxretry = 4
将以下内容添加到/etc/fail2ban/filter.d/phpmyadmin.conf
# phpmyadmin configuration file
#
# Author: Michael Robinson
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
# Ignore our own bans, to keep our counts exact.
# In your config, name your jail 'fail2ban', or change this line!
ignoreregex =
重新开始fail2ban
sudo service fail2ban restart
附言:我喜欢鸡蛋
答案1
这很好,但是为什么不使用 apache 功能来记录失败的登录呢?
将这些行添加到您的 Apache 配置(即:/etc/apache2/conf.d/phpmyadmin.conf)中的相应 VirtualHost 部分:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/apache2/phpmyadmin_access.log pma_combined
然后创建 fail2ban 过滤器:
/etc/fail2ban/filter.d/phpmyadmin.conf
[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =
现在将 jail 添加到 /etc/fail2ban/jail.local
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.log
重新启动 apache 和 fail2ban:
service apache2 reload
service fail2ban reload
您已完成,不再需要 php 脚本等等。
答案2
你应该修改脚本,在日志文件中包含时间戳。否则,fail2ban 将无法工作
首先用来
fail2ban-regex /var/log/phpmyadmin_auth.log /etc/fail2ban/filter.d/phpmyadmin.conf验证你的正则表达式。我可以使用您原来的配置(jail.local 之前)成功启动 fail2ban
Oct 7 00:42:07 hostname yum: Installed: python-inotify-0.9.1-1.el5.noarch Oct 7 00:42:08 hostname yum: Installed: fail2ban-0.8.4-29.el5.noarch Oct 7 00:42:10 hostname yum: Installed: phpMyAdmin-2.11.11.3-2.el5.noarch Oct 7 01:01:03 hostname fail2ban.server : INFO Changed logging target to SYSLOG for Fail2ban v0.8.4 Oct 7 01:01:03 hostname fail2ban.jail : INFO Creating new jail 'phpmyadmin' Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'phpmyadmin' uses Gamin Oct 7 01:01:03 hostname fail2ban.filter : INFO Set maxRetry = 2 Oct 7 01:01:03 hostname fail2ban.filter : INFO Set findtime = 600 Oct 7 01:01:03 hostname fail2ban.actions: INFO Set banTime = 600 Oct 7 01:01:03 hostname fail2ban.jail : INFO Creating new jail 'ssh-iptables' Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin Oct 7 01:01:03 hostname fail2ban.filter : INFO Added logfile = /var/log/secure Oct 7 01:01:03 hostname fail2ban.filter : INFO Set maxRetry = 5 Oct 7 01:01:03 hostname fail2ban.filter : INFO Set findtime = 600 Oct 7 01:01:03 hostname fail2ban.actions: INFO Set banTime = 600 Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'phpmyadmin' started Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'ssh-iptables' started Oct 7 01:10:54 hostname fail2ban.jail : INFO Jail 'phpmyadmin' stopped Oct 7 01:10:55 hostname fail2ban.jail : INFO Jail 'ssh-iptables' stopped Oct 7 01:10:55 hostname fail2ban.server : INFO Exiting Fail2ban Oct 7 01:10:56 hostname fail2ban.server : INFO Changed logging target to SYSLOG for Fail2ban v0.8.4 Oct 7 01:10:56 hostname fail2ban.jail : INFO Creating new jail 'phpmyadmin' Oct 7 01:10:56 hostname fail2ban.jail : INFO Jail 'phpmyadmin' uses Gamin Oct 7 01:10:56 hostname fail2ban.filter : INFO Added logfile = /var/log/phpmyadmin_auth.log一旦正确的正则表达式到位,您可以使用审核来查看您的文件是否被 fail2ban 访问。
我用了auditctl -w /var/log/phpmyadmin_auth.log -p warx -k phpmyadmin_fail2ban