1

We've been using fail2ban to block failed ssh attempts. I would like to setup the same thing for phpMyAdmin as well.

As phpMyAdmin doesn't log authentication attempts to a file (that I know of), I'm unsure of how best to go about this.

Does a plugin / config exist that makes phpMyAdmin log authentication attempts to a file? Or is there some other place I should look for such an activity log?

Ideally I will be able to find a solution that involved modifying fail2ban config only, as I have to configure fail2ban with the same options on multiple servers, and would prefer not to also modify the various phpMyAdmin installations on said servers.

Michael Robinson
  • 418
  • 2
  • 7
  • 19

3 Answers3

2

I think the best way (and in my opinion the less dangerous) to use phpMyAdmin is to not open phpMyAdmin directly on public IP but to listen only on internal IP or loopback and make a SSH tunnel to connect to it using a local port on the machine you want to work with phpMyAdmin. This way the sensible autentication is controlled by SSH (and already blocked by fail2ban).

laurent
  • 2,035
  • 16
  • 13
  • Thanks for the answer. I agree that your suggestion is likely the most secure, but I'm not in a position where I can implement this right now. I'm interested in finding if there there is a way for me to use `fail2ban` to block bad access attempts to `phpMyAdmin` without modifying `phpMyAdmin` too much. – Michael Robinson Oct 04 '12 at 02:22
  • Thanks for your answer! I have solved my problem in a different way. – Michael Robinson Oct 05 '12 at 00:43
1

We protect phpmyadmin by adding apache htaccess ldap authentication (or file authentication) for the phpmyadmin location. You have to type the password twice, but failed login attempts are recognized by fail2ban.

[http://www.cyberciti.biz/faq/howto-setup-apache-password-protect-directory-with-htaccess-file/][1]

Jure1873
  • 3,692
  • 1
  • 21
  • 28
0

I've used a combination of .htaccess and a simple php script to provide a solution I find acceptable:

.htaccess

php_value auto_prepend_file /path/to/fail2ban.php

fail2ban.php

  • Detects presence of $_REQUEST['pma_{username|password']
  • Validates pma_{username|password} against the mysql.user table
  • Logs an error (format below) if the details are invalid

Log format

phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php
phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php

This solution is suitable for me as I can easily integrate it into the bash script I've put together to smooth configuration of fail2ban across our servers.

Thanks to all who provided possible solutions!

As a follow-up, I have opened a question about issues I've run into creating a custom fail2ban filter to watch & act on this new log file: Custom fail2ban Filter for phpMyadmin bruteforce attempts.

Community
  • 1
Michael Robinson
  • 418
  • 2
  • 7
  • 19