El 12/11/14 a las 15:12, Lorenzo Milesi escribió: > Hi. > On my server I host several Joomla websites, and I just noticed several IP > performing bruteforce attacks to /administrator/index.php in an attempt to > find the admin password. > > I created a filter like this: > failregex = .* <HOST> - - .*POST .*/administrator/index.php HTTP.* > .* <HOST> - - .*\.usbvu.* > > and in jail.local: > [apache-joomla] > enabled = true > banaction = iptables-allports > bantime = 7200 > port = all > filter = apache-joomla > logpath = /var/log/apache2/other_vhosts_access.log > maxretry = 6 > findtime = 60 > > And this has been working when the attempts were very much. Now I noticed > another attack which performs few POSTs, say 3 or 4 at most, and pauses for a > minute or two, then again but from another IP. This layout won't work > anymore, but I cannot raise "findtime" because all Joomla admin tasks (like > saving an article or a module config) perform POST to that url, so any > legitimate action would trigger the ban in a longer timestamp. > So to detect those sparse breakin attempts I was about to reduce the > "findtime" value to 30 and "maxretry" to 3, so that such action could be > detected. > > My concern is, is there any drawback in using so low values for those > parameters? > > Thanks > > > P.S. this is an example log of what I'm trying to detect > > [12/Nov/2014:14:58:33 +0100] domain.com:80 37.113.168.91 - - "POST > /administrator/index.php HTTP/1.1" 200 4929 > "http://domain.com/administrator/"; "Mozilla/5.0 (Windows NT 5.1) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" > [12/Nov/2014:14:58:34 +0100] domain.com:80 37.113.168.91 - - "POST > /administrator/index.php HTTP/1.1" 200 4929 > "http://domain.com/administrator/"; "Mozilla/5.0 (Windows NT 5.1) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" > [12/Nov/2014:14:58:34 +0100] domain.com:80 37.113.168.91 - - "POST > /administrator/index.php HTTP/1.1" 200 4929 > "http://domain.com/administrator/"; "Mozilla/5.0 (Windows NT 5.1) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" > [12/Nov/2014:14:58:52 +0100] domain.com:80 78.152.161.14 - - "POST > /administrator/index.php HTTP/1.1" 200 4929 > "http://domain.com/administrator/"; "Mozilla/5.0 (Windows NT 5.1) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" > [12/Nov/2014:14:58:52 +0100] domain.com:80 78.152.161.14 - - "POST > /administrator/index.php HTTP/1.1" 200 4929 > "http://domain.com/administrator/"; "Mozilla/5.0 (Windows NT 5.1) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" > [12/Nov/2014:14:58:52 +0100] domain.com:80 78.152.161.14 - - "POST > /administrator/index.php HTTP/1.1" 200 4929 > "http://domain.com/administrator/"; "Mozilla/5.0 (Windows NT 5.1) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" >
Hi, I don't know about fail2ban in apache or joomla (i've used only in a mail server with dovecot, postfix...), but: what about to find wrong login attemps?, maybe Joomla or apache have any log of login attemps (or denied access) that you can use instead search for post. With that you can use higher find time without problem and ban that ip addresses. Greetings!! -- ------------------------------------------------------------ Daniel Carrasco Marín Técnicas Territoriales y Urbanas, S.L. C/ Zurbano 92, 2º, 28003 Madrid Tfno.: +34 91 571 93 46 (ext. 148) # Fax: +34 91 571 58 72 ------------------------------------------------------------ ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
