Banning phpMyAdmin bots using fail2ban

I've had it with those evil bots trying to exploit non-existing phpMyAdmin installations on anything webserverish, therefore I wrote up a small fail2ban rule to ban those bastards after the third attempt. Maybe it's of help to you too, thus here it is.

/etc/fail2ban/filter.d/apache-phpmyadmin.conf

# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#
 
[Definition]
 
docroot = /var/www
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
 
# Option:  failregex
# Notes.:  Regexp to match often probed and not available phpmyadmin paths.
# Values:  TEXT
#
failregex = [[]client <HOST>[]] File does not exist: %(docroot)s/(?:%(badadmin)s)
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

The badadmin matchers will prolly be extended in the future, this was just what I found regarding trial-and-error-URLs after a quick scan through the logs of one of the servers at work.

I added this to /etc/fail2ban/jail.conf to enable the rule: 

[apache-phpmyadmin]
enabled  = true
port     = http,https
filter   = apache-phpmyadmin
logpath  = /var/log/apache*/*error.log
maxretry = 3
, , , ,

Linkbacks

GoatPr0n [blog:2009:03:07.vuurmuur.and.fail2ban] , 2009/03/07 21:55 (Pingback)
[...] Banning phpMyAdmin bots using fail2ban [...]
 
Supprimer les tentatives d’accès à phpMyAdmin en utilisant fail2ban (via.zapoyok.info) « Lucas BÉNARD, mon Blog, 2011/02/24 09:19 (Pingback)
[...] http://foosel.org/blog/2008/04/banning_phpmyadmin_bots_using_fail2ban [...]
 
kauderWWWelsch » fail2ban – die phpMyAdmin-Sucher bannen » phpMyAdmin, RoundCube, fail2ban, jailconf, filterd, apache-nohomeconf, 2011/12/14 18:32 (Pingback)
[...] http://www.foosel.org/blog/2008/04/banning_phpmyadmin_bots_using_fail2ban [...]
 
Sécuriser accès à PhpMyAdmin sous Debian | Le blog d'EticWeb, 2011/12/18 09:49 (Pingback)
[...] Gina Haeussge [...]
 
Bannir les bots phpMyAdmin et w00tw00t avec Fail2ban | Maxime's BloG, 2012/05/10 16:08 (Pingback)
[...] Banning phpMyAdmin bots using fail2ban [...]
 

Discussion

JeremyJeremy, 2008/04/26 22:40

Hi,

Thanks for posting this. It was exactly what I was looking for!

AlejoAlejo, 2010/04/22 18:44

Thank you so much for the post!

MartinMartin, 2010/09/22 09:36

When you use Fail2Ban, so you can generate Abuse-Complaints automatically over my Project http://www.blocklist.de for some Services.

lucluc, 2011/07/16 12:18

I get the following error testing the regex: fail2ban-regex /var/log/httpd/error_log etc/fail2ban/filter.d/apache-phpmyadmin.conf

No 'host' group in 'etc/fail2ban/filter.d/apache-phpmyadmin.conf' Cannot remove regular expression. Index 0 is not valid

any tips?

kergebirkakergebirka, 2011/08/15 04:34

Works fine, thx.

“I added this to /etc/fail2ban/jail.conf to enable the rule:”

It's a bad idea, your personal settings can be overwrited by update/updgrade. :)

Better if you use a local config file for that.

If you don't have then just create (touch /etc/fail2ban/jail.local), and add your all personal settings into /etc/fail2ban/jail.local .

Thomas HeissThomas Heiss, 2011/11/24 13:07

Hi for the index 0 problem you might want to try this:

failregex = [[]client (?P<host>\S*)[][] File does not exist: %(docroot)s/(?:%(badadmin)s)

the first part (client hosting matching and saving the ip for iptables) works well with fail2ban-regex on a debian system.

Either for IPs (%a) or hostname (%h).

BTW:

It loosk like that the capture image is rendered wrong!

Enter your comment. Wiki syntax is allowed:
If you can't read the letters on the image, download this .wav file to get them read to you.
 
blog/2008/04/banning_phpmyadmin_bots_using_fail2ban.txt · Last modified: 2008/04/14 09:39 by foosel