Hi.
On my server I host several Joomla websites, and I just noticed several IP
performing bruteforce attacks to /administrator/index.php in an attempt to find
the admin password.
I created a filter like this:
failregex = .* <HOST> - - .*POST .*/administrator/index.php HTTP.*
.* <HOST> - - .*\.usbvu.*
and in jail.local:
[apache-joomla]
enabled = true
banaction = iptables-allports
bantime = 7200
port = all
filter = apache-joomla
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 6
findtime = 60
And this has been working when the attempts were very much. Now I noticed
another attack which performs few POSTs, say 3 or 4 at most, and pauses for a
minute or two, then again but from another IP. This layout won't work anymore,
but I cannot raise "findtime" because all Joomla admin tasks (like saving an
article or a module config) perform POST to that url, so any legitimate action
would trigger the ban in a longer timestamp.
So to detect those sparse breakin attempts I was about to reduce the "findtime"
value to 30 and "maxretry" to 3, so that such action could be detected.
My concern is, is there any drawback in using so low values for those
parameters?
Thanks
P.S. this is an example log of what I'm trying to detect
[12/Nov/2014:14:58:33 +0100] domain.com:80 37.113.168.91 - - "POST
/administrator/index.php HTTP/1.1" 200 4929 "http://domain.com/administrator/";
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/38.0.2125.111 Safari/537.36"
[12/Nov/2014:14:58:34 +0100] domain.com:80 37.113.168.91 - - "POST
/administrator/index.php HTTP/1.1" 200 4929 "http://domain.com/administrator/";
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/38.0.2125.111 Safari/537.36"
[12/Nov/2014:14:58:34 +0100] domain.com:80 37.113.168.91 - - "POST
/administrator/index.php HTTP/1.1" 200 4929 "http://domain.com/administrator/";
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/38.0.2125.111 Safari/537.36"
[12/Nov/2014:14:58:52 +0100] domain.com:80 78.152.161.14 - - "POST
/administrator/index.php HTTP/1.1" 200 4929 "http://domain.com/administrator/";
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/38.0.2125.111 Safari/537.36"
[12/Nov/2014:14:58:52 +0100] domain.com:80 78.152.161.14 - - "POST
/administrator/index.php HTTP/1.1" 200 4929 "http://domain.com/administrator/";
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/38.0.2125.111 Safari/537.36"
[12/Nov/2014:14:58:52 +0100] domain.com:80 78.152.161.14 - - "POST
/administrator/index.php HTTP/1.1" 200 4929 "http://domain.com/administrator/";
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/38.0.2125.111 Safari/537.36"
--
Lorenzo Milesi - [email protected]
YetOpen S.r.l. - http://www.yetopen.it/
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
