It works for me - see here:
# fail2ban-regex 'Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root
(mysql-denied) from 177.122.254.10' 'user denied: \S*
\((mysql|allow|root|empty)-denied\) from <HOST>$'
Running tests
=============
Use failregex line : user denied: \S* \((mysql|allow|rooy|empty)-denied...
Use single line : Feb 14 21:48:06 www phpMyAdmin[3981]: user denied:...
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] user denied: \S* \((mysql|allow|rooy|empty)-denied\) from <HOST>$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?:
ExYear)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
On Sat, 15 Feb 2020 at 11:29, Henrique Fagundes <[email protected]>
wrote:
> Hi friend
>
> I tried to use the "failregex" rule that you indicated. Unfortunately it
> didn't work! Is there anything else I can try?
>
> I'm grateful!
>
> ---- Ativado Sáb, 15 fev 2020 05:37:26 -0300 Dominic Raferd <
> [email protected]> escreveu ----
> >
> >
> > On Sat, 15 Feb 2020 at 01:54, Henrique Fagundes <
> [email protected]> wrote:
> >
> > Try replacing your failregex line with this:failregex = user denied:
> \S* \((mysql|allow|root|empty)-denied\) from <HOST>$
> > It does not use the 'denied' variable (so that line could be removed
> from your filter file). It would be better if it was defined with an anchor
> (and matching text/variables) at the front of the regex but it is probably
> good enough for your purposes, the risk of resulting FPs is small I think.
> > _______________________________________________
> > Fail2ban-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> > Dear Colleagues,
> >
> > I begin by apologizing for any communication error, as I am Brazilian
> and I still try to adapt with the English language.
> >
> > I'm having a hard time getting Fail2Ban to work on phpmyadmin.
> >
> > I'm using CentOS 8.1.1911 and fail2ban 0.10.5-2.
> > My PhpMyAdmin is version 4.9.0.1.
> >
> > I noticed that PhpMyAdmin logs login failures in the “/var/log/ secure”
> file.
> >
> > And he has an output like this:
> >
> > Feb 14 21:40:37 www phpMyAdmin[3982]: user denied: root (mysql-denied)
> from 177.122.254.10
> > Feb 14 21:42:07 www phpMyAdmin[3978]: user denied: root (mysql-denied)
> from 177.122.254.10
> > Feb 14 21:42:09 www phpMyAdmin[3982]: user denied: root (mysql-denied)
> from 177.122.254.10
> > Feb 14 21:48:06 www phpMyAdmin[3981]: user denied: root (mysql-denied)
> from 177.122.254.10
> >
> > So, I configured my “/etc/fail2ban/jail.conf” like this:
> >
> > [phpmyadmin]
> > enabled = true
> > port = http,https
> > filter = phpmyadmin
> > action = iptables-multiport[name=phpmyadmin, port="http,https",
> protocol=tcp]
> > sendmail-whois[name=PHPMYADMIN, [email protected]]
> > logpath = /var/log/secure
> > maxretry = 3
> >
> > And the filter configuration file
> (/etc/fail2ban/filter.d/phpmyadmin.conf), the expressions are like this:
> >
> > [Definition]
> > denied = mysql-denied|allow-denied|root-denied|empty-denied
> > failregex = ^<HOST> -.*(?:%(denied)s)$
> > ignoreregex =
> >
> > I believe I am not able to correctly form the expression, as Fail2Ban
> is not blocking at all.
> >
> > Could someone help me in this matter?
> >
> > I'll be very grateful.
> >
>
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
