From 5b4bc2aafda544dcd606dc68c1706247be6992f0 Mon Sep 17 00:00:00 2001 From: Pavel Mihadyuk Date: Tue, 22 Aug 2017 18:19:55 +0300 Subject: [PATCH 1/4] Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713 --- ChangeLog | 1 + config/filter.d/phpmyadmin-syslog.conf | 17 +++++++++++++++++ .../tests/files/logs/phpmyadmin-syslog.conf | 2 ++ 3 files changed, 20 insertions(+) create mode 100644 config/filter.d/phpmyadmin-syslog.conf create mode 100644 fail2ban/tests/files/logs/phpmyadmin-syslog.conf diff --git a/ChangeLog b/ChangeLog index 5aa24b51..4b1e5e61 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,7 @@ releases. ### Enhancements * action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651) * filter.d/kerio.conf - filter extended with new rules (see gh-1455) +* filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging ver. 0.9.7 (2017/05/11) - awaiting-victory diff --git a/config/filter.d/phpmyadmin-syslog.conf b/config/filter.d/phpmyadmin-syslog.conf new file mode 100644 index 00000000..79eac71a --- /dev/null +++ b/config/filter.d/phpmyadmin-syslog.conf @@ -0,0 +1,17 @@ +# Fail2Ban fitler for the phpMyAdmin-syslog +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = phpMyAdmin + +failregex = ^%(__prefix_line)suser denied: .* \(mysql-denied\) from \s*$ + +ignoreregex = + + +# Author: Pavel Mihadyuk diff --git a/fail2ban/tests/files/logs/phpmyadmin-syslog.conf b/fail2ban/tests/files/logs/phpmyadmin-syslog.conf new file mode 100644 index 00000000..eef6e3b2 --- /dev/null +++ b/fail2ban/tests/files/logs/phpmyadmin-syslog.conf @@ -0,0 +1,2 @@ +# failJSON: { "time": "2017-08-22T14:50:22", "match": true , "host": "81.62.21.201" } +Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 81.62.21.201 From 41994fcb5609bc36ea5f137b65d5e797ea27cefc Mon Sep 17 00:00:00 2001 From: Pavel Mihadyuk Date: Tue, 22 Aug 2017 18:46:33 +0300 Subject: [PATCH 2/4] Added filter for phpMyAdmin+syslog (>=4.7.0) --- fail2ban/tests/files/logs/phpmyadmin-syslog | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 fail2ban/tests/files/logs/phpmyadmin-syslog diff --git a/fail2ban/tests/files/logs/phpmyadmin-syslog b/fail2ban/tests/files/logs/phpmyadmin-syslog new file mode 100644 index 00000000..eef6e3b2 --- /dev/null +++ b/fail2ban/tests/files/logs/phpmyadmin-syslog @@ -0,0 +1,2 @@ +# failJSON: { "time": "2017-08-22T14:50:22", "match": true , "host": "81.62.21.201" } +Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 81.62.21.201 From d09304b897e4499fbf8095344e9818a71a2ba6fd Mon Sep 17 00:00:00 2001 From: Pavel Mihadyuk Date: Tue, 22 Aug 2017 19:00:48 +0300 Subject: [PATCH 3/4] phpmyadmin-syslog: added default jail config --- config/jail.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index 9296b6af..cf652fe2 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -860,3 +860,9 @@ logpath = /var/log/slapd.log port = smtp,ssmtp filter = domino-smtp logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log + +[phpmyadmin-syslog] +port = http,https +filter = phpmyadmin-syslog +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s From 4c1abe1cbf08005f20aae01eea735feeed251a8e Mon Sep 17 00:00:00 2001 From: Pavel Mihadyuk Date: Wed, 23 Aug 2017 16:55:16 +0300 Subject: [PATCH 4/4] phpmyadmin-syslog: removed excess file, fixed test, updated failregex --- config/filter.d/phpmyadmin-syslog.conf | 3 ++- fail2ban/tests/files/logs/phpmyadmin-syslog | 4 ++-- fail2ban/tests/files/logs/phpmyadmin-syslog.conf | 2 -- 3 files changed, 4 insertions(+), 5 deletions(-) delete mode 100644 fail2ban/tests/files/logs/phpmyadmin-syslog.conf diff --git a/config/filter.d/phpmyadmin-syslog.conf b/config/filter.d/phpmyadmin-syslog.conf index 79eac71a..5b0862bb 100644 --- a/config/filter.d/phpmyadmin-syslog.conf +++ b/config/filter.d/phpmyadmin-syslog.conf @@ -9,9 +9,10 @@ before = common.conf _daemon = phpMyAdmin -failregex = ^%(__prefix_line)suser denied: .* \(mysql-denied\) from \s*$ +failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from \s*$ ignoreregex = # Author: Pavel Mihadyuk +# Regex fixes: Serg G. Brester diff --git a/fail2ban/tests/files/logs/phpmyadmin-syslog b/fail2ban/tests/files/logs/phpmyadmin-syslog index eef6e3b2..f32a2476 100644 --- a/fail2ban/tests/files/logs/phpmyadmin-syslog +++ b/fail2ban/tests/files/logs/phpmyadmin-syslog @@ -1,2 +1,2 @@ -# failJSON: { "time": "2017-08-22T14:50:22", "match": true , "host": "81.62.21.201" } -Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 81.62.21.201 +# failJSON: { "time": "2004-08-22T14:50:22", "match": true , "host": "192.0.2.1" } +Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 192.0.2.1 diff --git a/fail2ban/tests/files/logs/phpmyadmin-syslog.conf b/fail2ban/tests/files/logs/phpmyadmin-syslog.conf deleted file mode 100644 index eef6e3b2..00000000 --- a/fail2ban/tests/files/logs/phpmyadmin-syslog.conf +++ /dev/null @@ -1,2 +0,0 @@ -# failJSON: { "time": "2017-08-22T14:50:22", "match": true , "host": "81.62.21.201" } -Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 81.62.21.201