服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 自定义fail2ban过滤phpMyadmin bruteforce尝试
Intereting Posts
BIND和SERVFAIL 我怎样才能使用清漆生成robots.txt文件,即使是同一网站的子域? 权限问题,nginx无法访问我的网站 mod_rewrite确切的主机名与多个条件匹配 PHP5会话文件清理永远不会结束 redirect而不更改url Virtualbox IP转发中的隧道接口 hylafax vs hylafax +:兼容性问题和Asterisk互操作性 Snow Lepord服务器(?) – Server Preferanceslogin(无法设置节点凭据) 如何在AWS安全组中添加源IP范围? 寻找一个可以testing端口是否打开的web API WSUS太多“不适用”的更新。 这是正常的吗? 添加脚本在启动时运行,而不用触及rc.local 你如何检查名称服务器是否响应recursion查询? 优化Web服务器(apache2 + nginx + memcached + eaccelerator)为高负载沉重的应用程序

自定义fail2ban过滤phpMyadmin bruteforce尝试

在我试图用fail2ban阻止失败的phpMyAdminlogin失败时,我创build了一个脚本来logging失败的尝试到一个文件: /var/log/phpmyadmin_auth.log

自定义日志

/var/log/phpmyadmin_auth.log文件的格式是: 

 phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php

自定义filter 

 [Definition] # Count all bans in the logfile failregex = phpMyadmin login failed with username: .*; ip: <HOST>;

phpMyAdmin监狱 

 [phpmyadmin] enabled = true port = http,https filter = phpmyadmin action = sendmail-whois[name=HTTP] logpath = /var/log/phpmyadmin_auth.log maxretry = 6

fail2ban日志包含: 

 2012-10-04 10:52:22,756 fail2ban.server : INFO Stopping all jails 2012-10-04 10:52:23,091 fail2ban.jail : INFO Jail 'ssh-iptables' stopped 2012-10-04 10:52:23,866 fail2ban.jail : INFO Jail 'fail2ban' stopped 2012-10-04 10:52:23,994 fail2ban.jail : INFO Jail 'ssh' stopped 2012-10-04 10:52:23,994 fail2ban.server : INFO Exiting Fail2ban 2012-10-04 10:52:24,253 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6 2012-10-04 10:52:24,253 fail2ban.jail : INFO Creating new jail 'ssh' 2012-10-04 10:52:24,253 fail2ban.jail : INFO Jail 'ssh' uses poller 2012-10-04 10:52:24,260 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2012-10-04 10:52:24,260 fail2ban.filter : INFO Set maxRetry = 6 2012-10-04 10:52:24,261 fail2ban.filter : INFO Set findtime = 600 2012-10-04 10:52:24,261 fail2ban.actions: INFO Set banTime = 600 2012-10-04 10:52:24,279 fail2ban.jail : INFO Creating new jail 'ssh-iptables' 2012-10-04 10:52:24,279 fail2ban.jail : INFO Jail 'ssh-iptables' uses poller 2012-10-04 10:52:24,279 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2012-10-04 10:52:24,280 fail2ban.filter : INFO Set maxRetry = 5 2012-10-04 10:52:24,280 fail2ban.filter : INFO Set findtime = 600 2012-10-04 10:52:24,280 fail2ban.actions: INFO Set banTime = 600 2012-10-04 10:52:24,287 fail2ban.jail : INFO Creating new jail 'fail2ban' 2012-10-04 10:52:24,287 fail2ban.jail : INFO Jail 'fail2ban' uses poller 2012-10-04 10:52:24,287 fail2ban.filter : INFO Added logfile = /var/log/fail2ban.log 2012-10-04 10:52:24,287 fail2ban.filter : INFO Set maxRetry = 3 2012-10-04 10:52:24,288 fail2ban.filter : INFO Set findtime = 604800 2012-10-04 10:52:24,288 fail2ban.actions: INFO Set banTime = 604800 2012-10-04 10:52:24,292 fail2ban.jail : INFO Jail 'ssh' started 2012-10-04 10:52:24,293 fail2ban.jail : INFO Jail 'ssh-iptables' started 2012-10-04 10:52:24,297 fail2ban.jail : INFO Jail 'fail2ban' started

当我发出: 

 sudo service fail2ban restart

fail2ban给我发邮件说ssh已经重启,但是我没有收到关于我的phpmyadmin监狱的邮件。 重复失败login到phpMyAdmin不会导致发送电子邮件。

我错过了一些关键的设置? 我的filter的正则expression式是否错误?

更新:添加从默认安装的更改

从一个干净的fail2ban安装开始:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

将电子邮件地址更改为我自己的操作: 

 action = %(action_mwl)s

将以下内容添加到jail.local 

 [phpmyadmin] enabled = true port = http,https filter = phpmyadmin action = sendmail-whois[name=HTTP] logpath = /var/log/phpmyadmin_auth.log maxretry = 4

将以下内容添加到/etc/fail2ban/filter.d/phpmyadmin.conf 

 # phpmyadmin configuration file # # Author: Michael Robinson # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # # Count all bans in the logfile failregex = phpMyadmin login failed with username: .*; ip: <HOST>; # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # # Ignore our own bans, to keep our counts exact. # In your config, name your jail 'fail2ban', or change this line! ignoreregex =

重新启动fail2ban 

 sudo service fail2ban restart

PS:我喜欢鸡蛋

这很好,但为什么不使用Apache的functionlogin失败的login?

将这些行添加到相应的VirtualHost部分中的Apache Config(即:/etc/apache2/conf.d/phpmyadmin.conf)中: 

 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined CustomLog /var/log/apache2/phpmyadmin_access.log pma_combined

然后创buildfail2banfilter:

/etc/fail2ban/filter.d/phpmyadmin.conf 

 [Definition] denied = mysql-denied|allow-denied|root-denied|empty-denied failregex = ^<HOST> -.*(?:%(denied)s)$ ignoreregex =

现在将监狱添加到/etc/fail2ban/jail.local 

 [phpmyadmin] enabled = true port = http,https filter = phpmyadmin logpath = /var/log/apache2/phpmyadmin_access.log

重新启动apache和fail2ban: 

 service apache2 reload service fail2ban reload

你完成了,不需要PHP脚本等。

  1. 您应该更改脚本以在日志文件中包含时间戳。 没有这个,fail2ban将无法工作

  2. 使用fail2ban-regex /var/log/phpmyadmin_auth.log /etc/fail2ban/filter.d/phpmyadmin.conf首先validation你的正则expression式。

  3. 我可以成功地使用原始configuration启动fail2ban(在jail.local之前) 

     Oct 7 00:42:07 hostname yum: Installed: python-inotify-0.9.1-1.el5.noarch Oct 7 00:42:08 hostname yum: Installed: fail2ban-0.8.4-29.el5.noarch Oct 7 00:42:10 hostname yum: Installed: phpMyAdmin-2.11.11.3-2.el5.noarch Oct 7 01:01:03 hostname fail2ban.server : INFO Changed logging target to SYSLOG for Fail2ban v0.8.4 Oct 7 01:01:03 hostname fail2ban.jail : INFO Creating new jail 'phpmyadmin' Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'phpmyadmin' uses Gamin Oct 7 01:01:03 hostname fail2ban.filter : INFO Set maxRetry = 2 Oct 7 01:01:03 hostname fail2ban.filter : INFO Set findtime = 600 Oct 7 01:01:03 hostname fail2ban.actions: INFO Set banTime = 600 Oct 7 01:01:03 hostname fail2ban.jail : INFO Creating new jail 'ssh-iptables' Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin Oct 7 01:01:03 hostname fail2ban.filter : INFO Added logfile = /var/log/secure Oct 7 01:01:03 hostname fail2ban.filter : INFO Set maxRetry = 5 Oct 7 01:01:03 hostname fail2ban.filter : INFO Set findtime = 600 Oct 7 01:01:03 hostname fail2ban.actions: INFO Set banTime = 600 Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'phpmyadmin' started Oct 7 01:01:03 hostname fail2ban.jail : INFO Jail 'ssh-iptables' started Oct 7 01:10:54 hostname fail2ban.jail : INFO Jail 'phpmyadmin' stopped Oct 7 01:10:55 hostname fail2ban.jail : INFO Jail 'ssh-iptables' stopped Oct 7 01:10:55 hostname fail2ban.server : INFO Exiting Fail2ban Oct 7 01:10:56 hostname fail2ban.server : INFO Changed logging target to SYSLOG for Fail2ban v0.8.4 Oct 7 01:10:56 hostname fail2ban.jail : INFO Creating new jail 'phpmyadmin' Oct 7 01:10:56 hostname fail2ban.jail : INFO Jail 'phpmyadmin' uses Gamin Oct 7 01:10:56 hostname fail2ban.filter : INFO Added logfile = /var/log/phpmyadmin_auth.log

  4. 一旦正确的正则expression式到位,您可以使用审计来查看您的文件是否被fail2ban访问。

我用auditctl -w /var/log/phpmyadmin_auth.log -p warx -k phpmyadmin_fail2ban