Virtuemart Extensions by

  • Full Screen
  • Wide Screen
  • Narrow Screen
  • Increase font size
  • Default font size
  • Decrease font size

Blocking Joomla Brute Force Login Attacks with Fail2Ban on Ubuntu Server

This guide is intended for server administrators with lot's of Joomla sites installed. This guide will explain how to block IP address which try to do a brute force attacks on Joomla sites. This guide is written for Ubuntu 12.04 (or above). 


First, install Joomla plugins: 

For Joomla 2.5.x and Joomla 3.x you can install:

For Joomla 1.5.x you can install:

 (Update 2.Dec 2014 -> the plugins now support also php5.3. Php5.2 support is not tested, but may possibly work as well. Report issues to our forum. Tested php versions are php5.4, php5.5 and php5.6, php5.3)

The plugins are based on: 

You may also see referece at stackoverflow here

In addition our modification adds these features: 

- using syslog facility so all failed login attempts are logged in a single sytem log file

- filtering the failed attempts only for an administrator section

- added joomla 1.5 plugin 

This guide will describe how to enable fail2ban when using our plugin's syslog feature. 


Second, see if the failed login attempts are properly logged

Normally on Ubuntu server, the failed attempts with php syslog will get logged in /var/log/syslog on Suse based systems the default log file is /var/log/messages

To move the messages to a single file

Assuming that you are running Ubuntu 12.04 which uses rsyslog as the default logging daemon, create this file: 


with contents: 

#code start

if $programname == 'joomla' then /var/log/joomla.log

#code end

Now all the messages will get logged in a single file above. You acn optionally add

#code start

& ~

#code end

to the end of this file, if you do not want the messages to be logged by user facility into other files

Example output from /var/log/joomla.log

Aug 24 14:56:05 ibm joomla: [error] [client] user testuser authentication failure


Now set up fail2ban

Quick installation on ubuntu: 

$ apt-get install fail2ban

create a new file: 


The default regex as shown at this site ( will work: 

#code start


# Option: failregex
# Notes.: matches something like:
# [Mon Mar 31 10:15:00 2014] [error] [client] user mywebsite authentication failure
# Values: TEXT
failregex = [[]client <HOST>[]] user .* authentication failure.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

#code end

To fail2ban configuration file here: /etc/fail2ban/jail.local

add these lines to the end: 

#code start

enabled = true
port = http,https
filter = joomla-error
logpath = /var/log/joomla.log
maxretry = 7

#code end

Now check if all works properly

Testing the regex of fail2ban if it found IP addresses

$ fail2ban-regex /var/log/joomlma.log /etc/fail2ban/filter.d/joomla-error.conf

The output should look like this for our example above: 

Running tests

Use regex file : /etc/fail2ban/filter.d/joomla-error.conf
Use log file : /var/log/joomla.log


|- Regular expressions:
| [1] [[]client <HOST>[]] user .* authentication failure.*
`- Number of matches:
[1] 2 match(es)

|- Regular expressions:
`- Number of matches:


Addresses found:
[1] (Sun Aug 24 14:24:34 2014) (Sun Aug 24 14:56:05 2014)

Date template hits:
4 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 2

However, look at the above section 'Running tests' which could contain important


Now youc can restart fail2ban

$ fail2ban-client reload


Now, let's configure logrote so fail2ban does not run out of memory

Create a new file: 


with contents

/var/log/joomla.log {
rotate 12
create 777 root adm
size 5M
minsize 5M

Logrotate reload is not needed as it's loaded from CRON. 


This guide is based on these references:





You are here