CODEWITHSUNDEEP
apachejoomla
jali
jali

Reputation: 41

fail2ban to block 403 errors apache

I'm fighting with fail2ban to block brute force attacks on Joomla admin pages.

With an extension in Joomla I can block a IP so an error message will appear.

In apache log this gives the following logline;

domain.com:80 146.185.150.198 - - [16/Jun/2014:21:29:09 +0200] "GET /administrator/index.php HTTP/1.0" 403 358 "-" "-"

domain.com can be different since there are many domains on the servers.

I do have the following config in fail2ban

jail.local

[administrator]
enabled = true
port    = http,https
filter  = administrator
action   = iptables-multiport[name=ALL, port="http,https"]
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 3

filter.d/administrator.conf

[Definition]
failregex = [].<HOST> .*HTTP/[0-9.]+" 403
ignoreregex =

I also tried as failregex: ^<HOST> -.GET.*administrator.*.HTTP\/1.0".* 403 .*$

Neither are working.

Who has the right config to get this working?

Upvotes: 2

Views: 5236

Answers (3)

stAn
stAn

Reputation: 21

i wrote this plugin

http://www.rupostel.com/joomla/hacks/blocking-joomla-brute-force-login-attacks-with-fail2ban-on-ubuntu-server (requires php5.4+)

based on http://baxeico.wordpress.com/2014/03/31/joomla-brute-force-attacks-file2ban/

and added this to fail2ban config:

\etc\fail2ban\jail.local

[joomla-error]
enabled = true
port = http,https
filter = joomla-error
logpath = /var/log/joomla.log
maxretry = 7
findtime = 6000
bantime  = 17200

\etc\fail2ban\filter.d\joomla-error.conf

[Definition]

# Option: failregex
# Notes.: matches something like:
# [Mon Mar 31 10:15:00 2014] [error] [client 212.109.14.203] user mywebsite authentication failure
# Values: TEXT
failregex = [[]client <HOST>[]] user .* authentication failure.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

\etc\rsyslog.d\10-joomla.conf

if $programname == 'joomla' then /var/log/joomla.log

The plugin sends the authentication error into syslog which even when the pool is inside a chroot makes it possible to use system wide fail2ban with the iptables.

Upvotes: 2

jali
jali

Reputation: 41

Finaly got it working, bit different then expected;

My filter: 

 failregex = .* <HOST> - - .*(POST|GET) .*administrator/index.php HTTP.* 403 .*$

This is working great now, catching even more login attempts as excepted

Upvotes: 2

Daniel Ramos
Daniel Ramos

Reputation: 166

You could try this:

failregex = ^.* <HOST> .*"(:?GET|POST|HEAD) .* 403 [0-9]{3}.*

Or you can play with it in the online regexp tester: http://regex101.com/r/jQ7wQ9/2

Upvotes: 0

Related Questions