Filtro fail2ban personalizado para tentativas do phpMyadmin bruteforce

9

Na minha tentativa de bloquear tentativas excessivas de phpMyAdminlogin com falha fail2ban, criei um script que registra as tentativas com falha de um arquivo:/var/log/phpmyadmin_auth.log


Log personalizado

O formato do /var/log/phpmyadmin_auth.logarquivo é:

phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php
phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php

Filtro customizado

[Definition]

# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;

Cadeia phpMyAdmin

[phpmyadmin]

enabled  = true
port    = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 6

O fail2banlog contém:

2012-10-04 10:52:22,756 fail2ban.server : INFO   Stopping all jails
2012-10-04 10:52:23,091 fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
2012-10-04 10:52:23,866 fail2ban.jail   : INFO   Jail 'fail2ban' stopped
2012-10-04 10:52:23,994 fail2ban.jail   : INFO   Jail 'ssh' stopped
2012-10-04 10:52:23,994 fail2ban.server : INFO   Exiting Fail2ban
2012-10-04 10:52:24,253 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-10-04 10:52:24,253 fail2ban.jail   : INFO   Creating new jail 'ssh'
2012-10-04 10:52:24,253 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2012-10-04 10:52:24,260 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-10-04 10:52:24,260 fail2ban.filter : INFO   Set maxRetry = 6
2012-10-04 10:52:24,261 fail2ban.filter : INFO   Set findtime = 600
2012-10-04 10:52:24,261 fail2ban.actions: INFO   Set banTime = 600
2012-10-04 10:52:24,279 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2012-10-04 10:52:24,279 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses poller
2012-10-04 10:52:24,279 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-10-04 10:52:24,280 fail2ban.filter : INFO   Set maxRetry = 5
2012-10-04 10:52:24,280 fail2ban.filter : INFO   Set findtime = 600
2012-10-04 10:52:24,280 fail2ban.actions: INFO   Set banTime = 600
2012-10-04 10:52:24,287 fail2ban.jail   : INFO   Creating new jail 'fail2ban'
2012-10-04 10:52:24,287 fail2ban.jail   : INFO   Jail 'fail2ban' uses poller
2012-10-04 10:52:24,287 fail2ban.filter : INFO   Added logfile = /var/log/fail2ban.log
2012-10-04 10:52:24,287 fail2ban.filter : INFO   Set maxRetry = 3
2012-10-04 10:52:24,288 fail2ban.filter : INFO   Set findtime = 604800
2012-10-04 10:52:24,288 fail2ban.actions: INFO   Set banTime = 604800
2012-10-04 10:52:24,292 fail2ban.jail   : INFO   Jail 'ssh' started
2012-10-04 10:52:24,293 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2012-10-04 10:52:24,297 fail2ban.jail   : INFO   Jail 'fail2ban' started

Quando emito:

sudo service fail2ban restart

fail2banme sshmanda um e-mail dizendo que foi reiniciado, mas não recebo esse e-mail sobre minha phpmyadminprisão. Logins com falha repetidos para phpMyAdminnão fazem com que um email seja enviado.

Perdi algumas configurações críticas? A expressão regular do meu filtro está errada?


Atualização: alterações adicionadas da instalação padrão

Começando com uma fail2baninstalação limpa :

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Alterar endereço de email para o meu, ação para:

action = %(action_mwl)s

Anexe o seguinte a jail.local

[phpmyadmin]

enabled  = true
port     = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 4

Adicione o seguinte a /etc/fail2ban/filter.d/phpmyadmin.conf

# phpmyadmin configuration file
#
# Author: Michael Robinson
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <HOST>;

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#

# Ignore our own bans, to keep our counts exact.
# In your config, name your jail 'fail2ban', or change this line!
ignoreregex =

Reiniciar fail2ban

sudo service fail2ban restart

PS: eu gosto de ovos

Michael Robinson
fonte
1
Parece que não está pegando sua nova prisão na configuração. Especifique exatamente quais arquivos você alterou.
mgorven
@mgorven tenho atualizar a minha pergunta com uma visão abrangente do que eu mudei
Michael Robinson
Essas tentativas reais de logon na sua instância do phpmyadmin ou são simplesmente scanners procurando pelo phpmyadmin?
Scott Pacote
Eu acredito que eles são o último
Michael Robinson

Respostas:

8

Tudo bem, mas por que não usar a funcionalidade apache para registrar logins com falha?

Adicione essas linhas ao seu Apache Config (por exemplo: /etc/apache2/conf.d/phpmyadmin.conf) na seção VirtualHost correspondente:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/apache2/phpmyadmin_access.log pma_combined

Em seguida, crie o filtro fail2ban:

/etc/fail2ban/filter.d/phpmyadmin.conf

[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<HOST> -.*(?:%(denied)s)$
ignoreregex =

Agora adicione a cadeia a /etc/fail2ban/jail.local

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/apache2/phpmyadmin_access.log

Reinicie o apache e fail2ban:

service  apache2 reload
service fail2ban reload

e pronto, não há necessidade de scripts php etc.

spacebiker
fonte
3
Por favor, não diretamente editar jail.conf, criar, em vez de uma cópiajail.local
NineCattoRules
Você está @Simone direita, eu modifiquei a minha resposta, graças
spacebiker
Estou tendo um problema com a solução. Por favor, veja: serverfault.com/questions/815396/…
2
  1. Você deve alterar seu script para incluir registro de data e hora nos arquivos de log. Sem isso, o fail2ban não funcionará

  2. use fail2ban-regex /var/log/phpmyadmin_auth.log /etc/fail2ban/filter.d/phpmyadmin.confpara verificar seu regex primeiro.

  3. Eu poderia iniciar o fail2ban com sucesso usando sua configuração original (antes de jail.local)

    Oct  7 00:42:07 hostname yum: Installed: python-inotify-0.9.1-1.el5.noarch 
    Oct  7 00:42:08 hostname yum: Installed: fail2ban-0.8.4-29.el5.noarch
    Oct  7 00:42:10 hostname yum: Installed: phpMyAdmin-2.11.11.3-2.el5.noarch
    Oct  7 01:01:03 hostname fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.4
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Creating new jail 'phpmyadmin'
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' uses Gamin
    Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set maxRetry = 2
    Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set findtime = 600
    Oct  7 01:01:03 hostname fail2ban.actions: INFO   Set banTime = 600
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' uses Gamin
    Oct  7 01:01:03 hostname fail2ban.filter : INFO   Added logfile = /var/log/secure
    Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set maxRetry = 5
    Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set findtime = 600
    Oct  7 01:01:03 hostname fail2ban.actions: INFO   Set banTime = 600
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' started
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' started
    Oct  7 01:10:54 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' stopped
    Oct  7 01:10:55 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
    Oct  7 01:10:55 hostname fail2ban.server : INFO   Exiting Fail2ban
    Oct  7 01:10:56 hostname fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.4
    Oct  7 01:10:56 hostname fail2ban.jail   : INFO   Creating new jail 'phpmyadmin'
    Oct  7 01:10:56 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' uses Gamin
    Oct  7 01:10:56 hostname fail2ban.filter : INFO   Added logfile = /var/log/phpmyadmin_auth.log
    
  4. Depois que o regex correto estiver em vigor, você poderá usar a auditoria para verificar se seu arquivo é acessado ou não pelo fail2ban.

eu usei auditctl -w /var/log/phpmyadmin_auth.log -p warx -k phpmyadmin_fail2ban

Nehal Dattani
fonte
Estou tendo um problema com a solução, consulte: serverfault.com/questions/815396/…