我是巴西人,我仍在努力适应英语。
我很难让 Fail2Ban 在 phpmyadmin 上运行。
我在用着CentOS 8.1.1911和fail2ban 0.10.5-2。 我的PhpMyAdmin 是版本 4.9.0.1。
我注意到 PhpMyAdmin 在/var/log/secure
文件中记录了登录失败。
他的输出如下:
Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10
Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied) from 177.122.254.10
Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10
Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from 177.122.254.10
因此,我像/etc/fail2ban/jail.conf
这样配置:
[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
sendmail-whois[name=PHPMYADMIN, [email protected]]
logpath = /var/log/secure
maxretry = 3
而过滤器配置文件(/etc/fail2ban/filter.d/phpmyadmin.conf
),表达式如下:
[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =
我认为我无法正确形成表达式,因为 Fail2Ban 根本没有阻止。
有人能帮我解决这件事吗?
答案1
我终于解决了这个问题。Fail2Ban 现在可以正常阻止了。
我决定将 PhpMyAdmin 更新到 5.0.1 版本。更新后,我编辑了以下文件:
/var/www/phpmyadmin/libraries/config.default.php
我把配置改成如下形式:
$ cfg ['AuthLog'] = 'auto'; ------> $ cfg ['AuthLog'] = 'php';
在我这样做之后,他开始以不同的方式在不同的文件中生成日志。
日志开始在“/var/log/php-fpm/www-error.log”文件中生成。
并且这样:
[15-Feb-2020 17:18:11 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:18:13 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:18:14 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:22:06 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:22:08 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:22:09 UTC] user denied: root (mysql-denied) from 168.194.165.40
然后,我配置了“/etc/fail2ban/filter.d/phpmyadmin.conf”文件,如下所示:
[Definition]
denied = mysql-denied | allow-denied | root-denied | empty-denied
failregex = user denied:. + from <HOST> \ s * $
ignoreregex =
之后,我配置了“/etc/fail2ban/jail.conf”如下:
[phpmyadmin]
enabled = true
port = http, https
action = iptables-multiport [name = phpmyadmin, port = "http, https", protocol = tcp]
# sendmail-whois [name = PHPMYADMIN, [email protected]]
logpath = /var/log/php-fpm/www-error.log
maxretry = 3
此后,只需重新启动 fail2ban,一切就都解决了。
查看日志,现在阻塞:
2020-02-15 14: 39: 42,005 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:41
2020-02-15 14: 39: 44,009 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:43
2020-02-15 14: 39: 46,013 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:45
2020-02-15 14: 39: 46,204 fail2ban.actions [25748]: NOTICE [phpmyadmin] Ban 168.194.165.40