HOWTO apache myadmin filter

From Fail2ban
Jump to: navigation, search

I don't use PHP MyAdmin but I'm tired of the fools looking for it cluttering up my log files so I wrote a filter to trap them and ban them for a period of time. Most of the traffic I see comes from DHCP blocks issued to various ISP's so I don't want to ban them forever.

First off, you'll want to configure the ignoreip directive in the jail.conf.

If you have an ISP that does dynamic IP addressing you will need to follow these steps so that you do not ban yourself!

You can locate your own external IP using http://www.whatismyip.com/.

That that IP and plug it in here - http://tools.whois.net/whoisbyip/ which will tell you what range of IPs you fall into.

That that range of IP's and plug it into the CIDR calculator to get the CIDR notation to plug into the config file.

The top row of output that says "Network = 111.111.111.111/20" is the part you want. Copy that IP address with the "/" and what ever number is after it.

Open jail.conf in your favorite editor and find the line that says "ignoreip = 127.0.0.1" in the [DEFAULT] section and make it look like this

"ignoreip = 111.111.111.111/20 127.0.0.1"

Now scroll down to apache part of the file and we're going to add a new jail

[apache-myadmin]
enabled = true
filter   = apache-myadmin
port = http,https
logpath = /var/log/apache2/error.log
action = iptables-multiport[name=apache-myadmin, port="http,https", protocol=tcp]
maxretry = 2
bantime = 84600

Save your file.

Now go into the filter.d directory and we're going to create the new filter

Open apache-myadmin.conf in your favorite editor.

Paste this in

[Definition]
failregex = [[]client <HOST>[]] File does not exist: /\S*phpmyadmin*
            [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin*
            [[]client <HOST>[]] File does not exist: /\S*PMA*
            [[]client <HOST>[]] File does not exist: /\S*pma*
            [[]client <HOST>[]] File does not exist: /\S*admin*
            [[]client <HOST>[]] File does not exist: /\S*dbadmin*
            [[]client <HOST>[]] File does not exist: /\S*sql*
            [[]client <HOST>[]] File does not exist: /\S*mysql*
            [[]client <HOST>[]] File does not exist: /\S*myadmin*
            [[]client <HOST>[]] File does not exist: /\S*MyAdmin*
            [[]client <HOST>[]] File does not exist: /\S*phpmyadmin2*
            [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin2*
            [[]client <HOST>[]] File does not exist: /\S*phpMyAdmin-2*
            [[]client <HOST>[]] File does not exist: /\S*php-my-admin*
            [[]client <HOST>[]] File does not exist: /\S*sqlmanager*
            [[]client <HOST>[]] File does not exist: /\S*mysqlmanager*
            [[]client <HOST>[]] File does not exist: /\S*PMA2005*
            [[]client <HOST>[]] File does not exist: /\S*pma2005*
            [[]client <HOST>[]] File does not exist: /\S*phpmanager*
            [[]client <HOST>[]] File does not exist: /\S*php-myadmin*
            [[]client <HOST>[]] File does not exist: /\S*phpmy-admin*
            [[]client <HOST>[]] File does not exist: /\S*webadmin*
            [[]client <HOST>[]] File does not exist: /\S*sqlweb*
            [[]client <HOST>[]] File does not exist: /\S*websql*
            [[]client <HOST>[]] File does not exist: /\S*webdb*
            [[]client <HOST>[]] File does not exist: /\S*mysqladmin*
            [[]client <HOST>[]] File does not exist: /\S*mysql-admin*

ignoreregex =

Save the file and restart or reload fail2ban.

I'm not 100% on python regex but this seems to work in my servers. If there's py-regex guru around, feel free to make corrections.

---

Reply from Jonathon W. Donaldson on 2012/4/21

Hello,

There are some minor issues with your regular expressions and I thought I would help you out.

1) "[[]client <HOST>[]]" - There are a couple problems here. First, I'm not sure what the two sets of "[]" are for. So I just removed them. Second, square brackets are special characters so you need to escape them with a "\".

2) The asterisk "*" is not a wildcard as you appear to be using it. It is actually a replication operator. The asterisk tells the regex parser to match on "0 or more occurrences" of the character directly preceding it. So when you have "admin*" you are telling the regex parser to "look for 0 or more occurrences of the letter 'n'". What you really want is ".*". The '.' represents "any character/number (_except_ for a new line character)". So you are telling the regex parser to match 0 or more occurrences of any number/character following "admin".

3) I'm not sure what the "\S" means, but "\s" represents a whitespace character. Is that what you were trying to match on? I don't know if upper/lower case makes a difference for that.

I changed your above regular expressions to the following and added some of my own so that they would not only match entries in the error.log file but also in the access.log file.

failregex = \[client <HOST>\] File does not exist:.*(?i)admin.*
            \[client <HOST>\] File does not exist:.*(?i)manager.*
            \[client <HOST>\] File does not exist:.*(?i)setup.*
            \[client <HOST>\] File does not exist:.*(?i)mysql.*
            \[client <HOST>\] File does not exist:.*(?i)sqlweb.*
            \[client <HOST>\] File does not exist:.*(?i)webdb.*
            \[client <HOST>\] File does not exist:.*(?i)pma.*
            \[client <HOST>\] File does not exist:.*(?i)vtigercrm.*
            ^<HOST>.*GET.*(?i)admin.*
            ^<HOST>.*GET.*(?i)manager.*
            ^<HOST>.*GET.*(?i)setup.*
            ^<HOST>.*GET.*(?i)mysql.*
            ^<HOST>.*GET.*(?i)sqlweb.*
            ^<HOST>.*GET.*(?i)webdb.*
            ^<HOST>.*GET.*(?i)pma.*
            ^<HOST>.*GET.*(?i)vtigercrm.*

There is a way to combine the related "GET" and "File does not exist..." regular expressions into one line but I thought this would be clearer for you.

Note that the "(?i)" is treated as a single unit and it tells the regex parser to treat everything that comes after it as case-insensitive.

The "^" represents "the beginning of the line".

Just FYI, I have tested the above in Fail2Ban v0.8.2 and they work well.

I hope this helps you out!

Jonathon

Personal tools