web-dev-qa-db-ja.com

phpMyadminブルートフォース試行用のカスタムfail2banフィルター

fail2banによる過度の失敗したphpMyAdminログイン試行をブロックするための私の探求において、ファイルへの失敗した試行をログに記録するスクリプトを作成しました:/var/log/phpmyadmin_auth.log


カスタムログ

/var/log/phpmyadmin_auth.logファイルの形式は次のとおりです。

phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php
phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php

カスタムフィルター

[Definition]

# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <Host>;

phpMyAdmin jail

[phpmyadmin]

enabled  = true
port    = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 6

fail2banログには以下が含まれます:

2012-10-04 10:52:22,756 fail2ban.server : INFO   Stopping all jails
2012-10-04 10:52:23,091 fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
2012-10-04 10:52:23,866 fail2ban.jail   : INFO   Jail 'fail2ban' stopped
2012-10-04 10:52:23,994 fail2ban.jail   : INFO   Jail 'ssh' stopped
2012-10-04 10:52:23,994 fail2ban.server : INFO   Exiting Fail2ban
2012-10-04 10:52:24,253 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-10-04 10:52:24,253 fail2ban.jail   : INFO   Creating new jail 'ssh'
2012-10-04 10:52:24,253 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2012-10-04 10:52:24,260 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-10-04 10:52:24,260 fail2ban.filter : INFO   Set maxRetry = 6
2012-10-04 10:52:24,261 fail2ban.filter : INFO   Set findtime = 600
2012-10-04 10:52:24,261 fail2ban.actions: INFO   Set banTime = 600
2012-10-04 10:52:24,279 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2012-10-04 10:52:24,279 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses poller
2012-10-04 10:52:24,279 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-10-04 10:52:24,280 fail2ban.filter : INFO   Set maxRetry = 5
2012-10-04 10:52:24,280 fail2ban.filter : INFO   Set findtime = 600
2012-10-04 10:52:24,280 fail2ban.actions: INFO   Set banTime = 600
2012-10-04 10:52:24,287 fail2ban.jail   : INFO   Creating new jail 'fail2ban'
2012-10-04 10:52:24,287 fail2ban.jail   : INFO   Jail 'fail2ban' uses poller
2012-10-04 10:52:24,287 fail2ban.filter : INFO   Added logfile = /var/log/fail2ban.log
2012-10-04 10:52:24,287 fail2ban.filter : INFO   Set maxRetry = 3
2012-10-04 10:52:24,288 fail2ban.filter : INFO   Set findtime = 604800
2012-10-04 10:52:24,288 fail2ban.actions: INFO   Set banTime = 604800
2012-10-04 10:52:24,292 fail2ban.jail   : INFO   Jail 'ssh' started
2012-10-04 10:52:24,293 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2012-10-04 10:52:24,297 fail2ban.jail   : INFO   Jail 'fail2ban' started

私が発行するとき:

Sudo service fail2ban restart

fail2banからsshが再起動したというメールが届きましたが、phpmyadmin刑務所に関するメールは届きません。 phpMyAdminへのログインに繰り返し失敗しても、メールは送信されません。

重要な設定を見逃しましたか?フィルターの正規表現が間違っていますか?


更新:デフォルトのインストールからの変更を追加

クリーンなfail2banインストールから始めます。

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

メールアドレスを自分のものに変更し、次のように対応します。

action = %(action_mwl)s

以下をjail.localに追加します

[phpmyadmin]

enabled  = true
port     = http,https
filter   = phpmyadmin
action   = sendmail-whois[name=HTTP]
logpath  = /var/log/phpmyadmin_auth.log
maxretry = 4

以下を/etc/fail2ban/filter.d/phpmyadmin.confに追加します

# phpmyadmin configuration file
#
# Author: Michael Robinson
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          Host must be matched by a group named "Host". The tag "<Host>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<Host>\S+)
# Values:  TEXT
#

# Count all bans in the logfile
failregex = phpMyadmin login failed with username: .*; ip: <Host>;

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#

# Ignore our own bans, to keep our counts exact.
# In your config, name your jail 'fail2ban', or change this line!
ignoreregex =

再起動fail2ban

Sudo service fail2ban restart

PS:私は卵が好き

9

それは問題ありませんが、Apache機能を使用して失敗したログインをログに記録しないのはなぜですか?

これらの行を、対応するVirtualHostセクションのApache構成(つまり、/ etc/Apache2/conf.d/phpmyadmin.conf)に追加します。

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n" pma_combined
CustomLog /var/log/Apache2/phpmyadmin_access.log pma_combined

次に、fail2banフィルターを作成します。

/etc/fail2ban/filter.d/phpmyadmin.conf

[Definition]
denied = mysql-denied|allow-denied|root-denied|empty-denied
failregex = ^<Host> -.*(?:%(denied)s)$
ignoreregex =

次に、刑務所を/etc/fail2ban/jail.localに追加します

[phpmyadmin]
enabled = true
port = http,https
filter = phpmyadmin
logpath = /var/log/Apache2/phpmyadmin_access.log

Apacheとfail2banを再起動します。

service  Apache2 reload
service fail2ban reload

これで、PHPスクリプトは不要になります。

8
spacebiker
  1. ログファイルにタイムスタンプを含めるようにスクリプトを変更する必要があります。これがないと、fail2banは機能しません。

  2. 使用する fail2ban-regex /var/log/phpmyadmin_auth.log /etc/fail2ban/filter.d/phpmyadmin.conf最初に正規表現を確認します。

  3. 元の構成(jail.localより前)を使用してfail2banを正常に開始できました

    Oct  7 00:42:07 hostname yum: Installed: python-inotify-0.9.1-1.el5.noarch 
    Oct  7 00:42:08 hostname yum: Installed: fail2ban-0.8.4-29.el5.noarch
    Oct  7 00:42:10 hostname yum: Installed: phpMyAdmin-2.11.11.3-2.el5.noarch
    Oct  7 01:01:03 hostname fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.4
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Creating new jail 'phpmyadmin'
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' uses Gamin
    Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set maxRetry = 2
    Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set findtime = 600
    Oct  7 01:01:03 hostname fail2ban.actions: INFO   Set banTime = 600
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' uses Gamin
    Oct  7 01:01:03 hostname fail2ban.filter : INFO   Added logfile = /var/log/secure
    Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set maxRetry = 5
    Oct  7 01:01:03 hostname fail2ban.filter : INFO   Set findtime = 600
    Oct  7 01:01:03 hostname fail2ban.actions: INFO   Set banTime = 600
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' started
    Oct  7 01:01:03 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' started
    Oct  7 01:10:54 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' stopped
    Oct  7 01:10:55 hostname fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
    Oct  7 01:10:55 hostname fail2ban.server : INFO   Exiting Fail2ban
    Oct  7 01:10:56 hostname fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.4
    Oct  7 01:10:56 hostname fail2ban.jail   : INFO   Creating new jail 'phpmyadmin'
    Oct  7 01:10:56 hostname fail2ban.jail   : INFO   Jail 'phpmyadmin' uses Gamin
    Oct  7 01:10:56 hostname fail2ban.filter : INFO   Added logfile = /var/log/phpmyadmin_auth.log
    
  4. 正しい正規表現を設定したら、監査を使用して、fail2banによってファイルにアクセスしているかどうかを確認できます。

auditctl -w /var/log/phpmyadmin_auth.log -p warx -k phpmyadmin_fail2ban

2
Nehal Dattani