Difficulties with Fail2Ban on PhpMyAdmin on CentOS

Question

I am Brazilian and I still try to adapt with the English language.

I'm having a hard time getting Fail2Ban to work on phpmyadmin.

I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2. My PhpMyAdmin is version 4.9.0.1.

I noticed that PhpMyAdmin logs login failures in the /var/log/secure file.

And he has an output like this:

Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10
Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied) from 177.122.254.10
Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied) from 177.122.254.10
Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied) from 177.122.254.10

So, I configured my /etc/fail2ban/jail.conf like this:

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
action = iptables-multiport[name=phpmyadmin, port="http,https", protocol=tcp]
sendmail-whois[name=PHPMYADMIN, dest=suporte@syspack.net.br]
logpath = /var/log/secure
maxretry = 3

And the filter configuration file (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this:

[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

I believe I am not able to correctly form the expression, as Fail2Ban is not blocking at all.

Could someone help me in this matter?

I believe that Fail2ban is launched by a systemd service named `fail2ban.service` in your system. If so, is there any relevant error messages displayed by `systemctl status fail2ban.service` or `journalctl --since -10m _SYSTEMD_UNIT=fail2ban.service`? Have you tried to [test the filter using `fail2ban-regex`](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters) or run `fail2ban` manually using `fail2ban-server -f`? — Anderson Medeiros Gomes, Feb 15 '20 at 03:07
Dear friend, Fail2ban is running OK, with no errors in the logs. See this output: [root @ www ~] # fail2ban-client status Status | - Number of jail: 8 `- Jail list: apache-auth, apache-badbots, apache-noscript, apache-overflows, drupal-auth, drupal-comment, phpmyadmin, vsftpd Everything is working properly, I'm just not able to block PhpMyAdmin Login failures. Possibly because the regular expression in the /etc/fail2ban/filter.d/phpmyadmin.conf file is wrong. Is there anything I can do to put it on to protect PhpMyAdmin? — Henrique Fagundes, Feb 15 '20 at 11:34

score 0 · Answer 1 · edited Feb 15 '20 at 20:01

I finally managed to solve the problem. Fail2Ban is now blocking properly.

I decided to update PhpMyAdmin to version 5.0.1. After I did that, I edited the following file:

/var/www/phpmyadmin/libraries/config.default.php

I changed the configuration as follows:

$ cfg ['AuthLog'] = 'auto'; ------> $ cfg ['AuthLog'] = 'php';

After I did that, he started to generate the logs differently and in a different file.

The logs started to be generated in the "/var/log/php-fpm/www-error.log" file.

And in this way:

[15-Feb-2020 17:18:11 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:18:13 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:18:14 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:22:06 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:22:08 UTC] user denied: root (mysql-denied) from 168.194.165.40
[15-Feb-2020 17:22:09 UTC] user denied: root (mysql-denied) from 168.194.165.40

Then, I configured the "/etc/fail2ban/filter.d/phpmyadmin.conf" file like this:

[Definition]
denied = mysql-denied | allow-denied | root-denied | empty-denied
failregex = user denied:. + from <HOST> \ s * $
ignoreregex =

After that, I configured "/etc/fail2ban/jail.conf" like this:

[phpmyadmin]
enabled = true
port = http, https
action = iptables-multiport [name = phpmyadmin, port = "http, https", protocol = tcp]
         # sendmail-whois [name = PHPMYADMIN, dest=suporte@cnsocial.org.br]
logpath = /var/log/php-fpm/www-error.log
maxretry = 3

After that, it was just restarting fail2ban that everything was resolved.

Look at the logs, now blocking:

2020-02-15 14: 39: 42,005 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:41
2020-02-15 14: 39: 44,009 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:43
2020-02-15 14: 39: 46,013 fail2ban.filter [25748]: INFO [phpmyadmin] Found 168.194.165.40 - 2020-02-15 14:39:45
2020-02-15 14: 39: 46,204 fail2ban.actions [25748]: NOTICE [phpmyadmin] Ban 168.194.165.40

Thanks for sharing your solution. The `fail2ban-client` command output you have posted in comments section suggests that there was a problem with the regular expression and no permission problems caused by SELinux, for example. `fail2ban-regex` command should have pointed the root cause. — Anderson Medeiros Gomes, Feb 15 '20 at 19:13

Difficulties with Fail2Ban on PhpMyAdmin on CentOS

1 Answers1