CentOS 上 PhpMyAdmin 的 Fail2Ban 问题

CentOS 上 PhpMyAdmin 的 Fail2Ban 问题

我是巴西人,我仍在努力适应英语。

我很难让 Fail2Ban 在 phpmyadmin 上运行。

我在用着CentOS 8.1.1911fail2ban 0.10.5-2。 我的PhpMyAdmin 是版本 4.9.0.1。

我注意到 PhpMyAdmin 在/var/log/secure文件中记录了登录失败。

他的输出如下:

Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10
Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied) from 177.122.254.10
Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10
Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from 177.122.254.10

因此,我像/etc/fail2ban/jail.conf这样配置:

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
sendmail-whois[name=PHPMYADMIN, [email protected]]
logpath = /var/log/secure
maxretry = 3

而过滤器配置文件(/etc/fail2ban/filter.d/phpmyadmin.conf),表达式如下:

[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

我认为我无法正确形成表达式,因为 Fail2Ban 根本没有阻止。

有人能帮我解决这件事吗?

答案1

我终于解决了这个问题。Fail2Ban 现在可以正常阻止了。

我决定将 PhpMyAdmin 更新到 5.0.1 版本。更新后,我编辑了以下文件:

/var/www/phpmyadmin/libraries/config.default.php

我把配置改成如下形式:

$ cfg ['AuthLog'] = 'auto'; ------> $ cfg ['AuthLog'] = 'php';

在我这样做之后,他开始以不同的方式在不同的文件中生成日志。

日志开始在“/var/log/php-fpm/www-error.log”文件中生成。

并且这样:

[15-Feb-2020 17:18:11 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:18:13 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:18:14 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:22:06 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:22:08 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:22:09 UTC] user denied: root (mysql-denied) from 168.194.165.40

然后,我配置了“/etc/fail2ban/filter.d/phpmyadmin.conf”文件,如下所示:

[Definition]
denied = mysql-denied | allow-denied | root-denied | empty-denied
failregex = user denied:. + from <HOST> \ s * $
ignoreregex =

之后,我配置了“/etc/fail2ban/jail.conf”如下:

[phpmyadmin]
enabled = true
port = http, https
action = iptables-multiport [name = phpmyadmin, port = "http, https", protocol = tcp]
         # sendmail-whois [name = PHPMYADMIN, [email protected]]
logpath = /var/log/php-fpm/www-error.log
maxretry = 3

此后,只需重新启动 fail2ban,一切就都解决了。

查看日志,现在阻塞:

2020-02-15 14: 39: 42,005 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:41
2020-02-15 14: 39: 44,009 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:43
2020-02-15 14: 39: 46,013 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:45
2020-02-15 14: 39: 46,204 fail2ban.actions [25748]: NOTICE [phpmyadmin] Ban 168.194.165.40

相关内容