I have a Debian server with phpmyadmin. I want to use fail2ban to block brute force attack. I have questions:
- How can I log the failed login attempts to log? Where to set that? I can only find the log in /var/log/apache2/access.log even it is success or fail in login.
10.0.5.1 – – [01/Mar/2016:23:47:46 +0800] "GET /phpmyadmin/ HTTP/1.1" 200 4028 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
10.0.5.1 – – [01/Mar/2016:23:47:49 +0800] "POST /phpmyadmin/index.php HTTP/1.1" 200 4033 "http://10.0.0.105/phpmyadmin/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
10.0.5.1 – – [01/Mar/2016:23:47:55 +0800] "POST /phpmyadmin/index.php HTTP/1.1" 200 4019 "http://10.0.0.105/phpmyadmin/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
10.0.5.1 – – [01/Mar/2016:23:48:29 +0800] "POST /phpmyadmin/index.php HTTP/1.1" 200 4019 "http://10.0.0.105/phpmyadmin/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"
- If that is the only log I can have, what should be the regular expression for fail2ban?
failregex = ^ -*POST /phpmyadmin/index.php *
Best Answer
/etc/phpmyadmin/config.user.inc.php
file and add something similar to:If your phpmyadmin server is behind a reverse proxy and its private IP address is
10.163.1.128
you probably want to log the public IP address of the client, so step 1 should be:Please bear in mind that the user running your phpmyadmin (typically
www-data
) should have write access to file and parent dir defined in$cfg['AuthLog']
variable name