Sidebar

 

Virtuemart Extensions by RuposTel.com

  • Full Screen
  • Wide Screen
  • Narrow Screen
  • Increase font size
  • Default font size
  • Decrease font size

Blocking Joomla Brute Force Login Attacks with Fail2Ban on Ubuntu Server

This guide is intended for server administrators with lot's of Joomla sites installed. This guide will explain how to block IP address which try to do a brute force attacks on Joomla sites. This guide is written for Ubuntu 12.04 (or above). 

 

First, install Joomla plugins: 

For Joomla 2.5.x and Joomla 3.x you can install: plg_system_fail2ban_j25.zip

For Joomla 1.5.x you can install: plg_system_fail2ban_j15.zip

 (Update 2.Dec 2014 -> the plugins now support also php5.3. Php5.2 support is not tested, but may possibly work as well. Report issues to our forum. Tested php versions are php5.4, php5.5 and php5.6, php5.3)

The plugins are based on: http://baxeico.wordpress.com/2014/03/31/joomla-brute-force-attacks-file2ban/ 

You may also see referece at stackoverflow here

In addition our modification adds these features: 

- using syslog facility so all failed login attempts are logged in a single sytem log file

- filtering the failed attempts only for an administrator section

- added joomla 1.5 plugin 

This guide will describe how to enable fail2ban when using our plugin's syslog feature. 

 

Second, see if the failed login attempts are properly logged

Normally on Ubuntu server, the failed attempts with php syslog will get logged in /var/log/syslog on Suse based systems the default log file is /var/log/messages

To move the messages to a single file

Assuming that you are running Ubuntu 12.04 which uses rsyslog as the default logging daemon, create this file: 

/etc/rsyslog.d/10-joomla.conf

with contents: 

#code start

if $programname == 'joomla' then /var/log/joomla.log

#code end

Now all the messages will get logged in a single file above. You acn optionally add

#code start

& ~

#code end

to the end of this file, if you do not want the messages to be logged by user facility into other files

Example output from /var/log/joomla.log

Aug 24 14:56:05 ibm joomla: [error] [client 192.168.122.122] user testuser vm2onj25.rupostel.com authentication failure

 

Now set up fail2ban

Quick installation on ubuntu: 

$ apt-get install fail2ban

create a new file: 

/etc/fail2ban/filters.d/joomla-error.conf

The default regex as shown at this site (http://baxeico.wordpress.com/2014/03/31/joomla-brute-force-attacks-file2ban/) will work: 

#code start

[Definition]

# Option: failregex
# Notes.: matches something like:
# [Mon Mar 31 10:15:00 2014] [error] [client 212.109.14.203] user mywebsite authentication failure
# Values: TEXT
failregex = [[]client <HOST>[]] user .* authentication failure.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

#code end

To fail2ban configuration file here: /etc/fail2ban/jail.local

add these lines to the end: 

#code start

[joomla-error]
enabled = true
port = http,https
filter = joomla-error
logpath = /var/log/joomla.log
maxretry = 7

#code end

Now check if all works properly

Testing the regex of fail2ban if it found IP addresses

$ fail2ban-regex /var/log/joomlma.log /etc/fail2ban/filter.d/joomla-error.conf

The output should look like this for our example above: 

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/joomla-error.conf
Use log file : /var/log/joomla.log


Results
=======

Failregex
|- Regular expressions:
| [1] [[]client <HOST>[]] user .* authentication failure.*
|
`- Number of matches:
[1] 2 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
192.168.122.122 (Sun Aug 24 14:24:34 2014)
192.168.122.122 (Sun Aug 24 14:56:05 2014)

Date template hits:
4 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 2

However, look at the above section 'Running tests' which could contain important
information.

 

Now youc can restart fail2ban

$ fail2ban-client reload

 

Now, let's configure logrote so fail2ban does not run out of memory

Create a new file: 

/etc/logrotate.d/joomla.conf

with contents

/var/log/joomla.log {
rotate 12
weekly
missingok
notifempty
create 777 root adm
compress
size 5M
minsize 5M
delaycompress
}

Logrotate reload is not needed as it's loaded from CRON. 

 

This guide is based on these references: 

http://baxeico.wordpress.com/2014/03/31/joomla-brute-force-attacks-file2ban/

http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

 

 

 

 

You are here