# Fail2Ban filter for unsuccessful MySQL authentication attempts # # # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]: # log-error=/var/log/mysqld.log # log-warnings = 2 # # If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = mysqld failregex = ^%(__prefix_line)s(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2} )?(?:\d+ )?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@''(?:\s+(?:to database '[^']*'|\(using password: (?:YES|NO)\)){1,2})?\s*$ ignoreregex = # DEV Notes: # # Technically __prefix_line can equate to an empty string hence it can support # syslog and non-syslog at once. # Example: # 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) # # Authors: Artur Penttinen # Yaroslav O. Halchenko