Hello everyone i'm trying to config joomla with fail2ban so i created
the file /etc/fail2ban/filter.d/joomla-error.conf
and added the failregex as below:
failregex = [[]client <HOST>[]] user .* authentication failure.*
After I added this code into the jail.conf
[joomla-error]
enabled = true
port = http,https
filter = joomla-error
logpath = /var/log/httpd/domains/jayjezz.com.error.log
maxretry = 5
bantime = 30
the logpath is right but every time i try to reload fail2ban service i get
ERROR NOK: ("No 'host' group in '[[]client <HOST>[]] user .* authentication failure.*'",)
i think something is wrong with my regex, can someone provide me the right regex for
[Thu Sep 28 17:14:23.932811 2017] [:error] [pid 6673] [client 000.000.000.000:56806] user xxxxx authentication failure, referer: http://jayjezz.com/administrator/index.php
thank you
fixed this by adding a script to change file permissions inside joomla website. now when i cannot login under /administrator without launching the script first
Related
I have an ipa server running for over a year now.
Recently, when I try to add a new user via https or the terminal it fails with the following error message.
IPA-Fehler 4203: DatabaseError
Server is unwilling to perform: Managed Entry Plugin rejected add operation (see errors log).
In the error logs, I see:
[timestamp] [:warn] [pid 2731] [client xxx] failed to set perms (3140) on file (/var/run/ipa/ccaches/user#xxx)!, referer: xxx
[timestamp] [:error] [pid 2727] ipa: INFO: [jsonserver_session] user#xxx: group_find(None, posix=True, version=u'2.230', no_members=True): SUCCESS
[timestamp] [:warn] [pid 2731] [client xxx] failed to set perms (3140) on file (/var/run/ipa/ccaches/user#xxx)!, referer: xxx
[timestamp] [:error] [pid 2726] ipa: INFO: [jsonserver_session] user#xxx: user_add(u'xxx', givenname=u'xxx', sn=u'xxx', userpassword=u'********', version=u'2.230'): DatabaseError
The user is not created but I have to remove the managed group as described here:
https://www.redhat.com/archives/freeipa-users/2016-August/msg00092.html before I can try again.
What is going on? Any help is appreciated.
$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
$ ipa --version
VERSION: 4.6.4, API_VERSION: 2.230
So I managed to solve the Problem.
While experimenting with other settings I tried to add the user without a private group and got the error message:
Server is unwilling to perform: Automember Plugin update unexpectedly failed.
A quick search showed, that error is happening, when the user is to be added to a group that does not exist, which happened due to an outdated Auto-Membership-Rule.
Correcting that, the user can be added.
Why does the following fail2ban regex
failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat).*$
^%(_apache_error_client)s script '.*' not found or unable to stat
not match
[client 111.111.111.111:51008] script '/srv/www/htdocs/wwwuni/fileadmin/Dokumente/index.php' not found or unable to stat
My problem is solved after changing the definition of
_apache_error_client in apache-common.conf
to _apache_error_client = [[^]]*] [(:error|\S+:\S+)]( [pid \d+])? [client (:\d{1,5})?]
thanks in advance, this is an odd problem, but probably is some internal processing I don't understand...
The rules and conditions work as expected except for one tiny problem.... it seems to be returning an empty file when the file is not empty...
On the bright side I got logging working, and am starting to have a clue about the very cryptic codes (thank you mr. apache and of course apache.org, and for those who want to test there regex: regex101.com)
Here is my log file:
[Sat Dec 06 19:04:49.939312 2014] [rewrite:trace1] [pid 5918] mod_rewrite.c(468): [client 192.168.1.100:55227] 192.168.1.100 - - [webtypography.dev/sid#7fdcea80dd68][rid#7fdcea7de0a0/initial] [perdir /var/www/webtypography.dev/public_html/] pass through /var/www/webtypography.dev/public_html/toc.php
this is my .htaccess file:
Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^webtypography\.dev$ [NC]
RewriteRule ^(.*)\/$ $1.php [R=301,L]
A little more info: My intent is if you type in the url which includes a directory: /directory/ it is rewritten as directory.php and appended to the base url....works great except the big blank browser viewport...
[Sat Dec 06 19:04:49.939265 2014] [rewrite:trace3] [pid 5918] mod_rewrite.c(468): [client 192.168.1.100:55227] 192.168.1.100 - - [webtypography.dev/sid#7fdcea80dd68][rid#7fdcea7de0a0/initial] [perdir /var/www/webtypography.dev/public_html/] strip per-dir prefix: /var/www/webtypography.dev/public_html/toc.php -> toc.php
[Sat Dec 06 19:04:49.939301 2014] [rewrite:trace3] [pid 5918] mod_rewrite.c(468): [client 192.168.1.100:55227] 192.168.1.100 - - [webtypography.dev/sid#7fdcea80dd68][rid#7fdcea7de0a0/initial] [perdir /var/www/webtypography.dev/public_html/] applying pattern '^(.*)\\/$' to uri 'toc.php'
[Sat Dec 06 19:04:49.939312 2014] [rewrite:trace1] [pid 5918] mod_rewrite.c(468): [client 192.168.1.100:55227] 192.168.1.100 - - [webtypography.dev/sid#7fdcea80dd68][rid#7fdcea7de0a0/initial] [perdir /var/www/webtypography.dev/public_html/] pass through /var/www/webtypography.dev/public_html/toc.php
These are the only entries in my virtual log for that transaction (i created a separate log for this virtual host...) Also this is NOT a production server, but I am going to look at php.ini and the php error log.... I'm not allowed to comment so I must do this here?
php.ini is display_errors was off!
Now I got the errors I need... THANKS NIEL! Allow me to check these errors, they are simple to fix, how can I give you any credit for this?
If PHP or Apache produces empty output this is nearly always caused by an error in either your Apache configs, including .htaccess files, or in your PHP with display_errors being disabled (as it damn well should be on a production site - you never want to show server internals to a possible attacker).
First stop should be Apache's vhost error logs as they will contain the errors from all these sources.
I'm using fail2ban. For some reason Fail2Ban refuse to compile my regex. Here is my logs that I need to match:
root#server1:/etc/fail2ban/filter.d# tail /var/log/apache2/error.log
[Sun Apr 20 10:40:05 2014] [error] [client 75.144.181.151] user root: authentication failure for "/phpmyadmin/": Password Mismatch
[Sun Apr 20 10:40:16 2014] [error] [client 75.144.181.151] user root: authentication failure for "/phpmyadmin/": Password Mismatch
[Sun Apr 20 10:40:38 2014] [error] [client 75.144.181.151] user haker not found: /phpmyadmin/
[Sun Apr 20 10:40:44 2014] [error] [client 75.144.181.151] user pentest not found: /phpmyadmin/
and here is my fail2ban filter.d file:
root#server1:/etc/fail2ban/filter.d# cat /etc/fail2ban/filter.d/phpmyadmin.conf
[Definition]
failregex = [client <HOST>;] user .*; not found: \/phpmyadmin\/|[client <HOST>;] user root: authentication failure for "\/phpmyadmin\/":
ignoreregex =
here is my regex line from the file above:
[client <HOST>;] user .*; not found: \/phpmyadmin\/|[client <HOST>;] user root: authentication failure for "\/phpmyadmin\/":
Unfortunately fail2ban log file giving me error about regex: Unable to compile regular expression..
root#server1:/etc/fail2ban# tail /var/log/fail2ban.log
2014-04-20 10:47:06,788 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2014-04-20 10:47:06,789 fail2ban.filter : INFO Set maxRetry = 3
2014-04-20 10:47:06,789 fail2ban.filter : INFO Set findtime = 600
2014-04-20 10:47:06,790 fail2ban.actions: INFO Set banTime = 600
2014-04-20 10:47:06,790 fail2ban.filter : ERROR Unable to compile regular expression '[client (?:::f{4,6}:)?(?P<host>[\w\-.^_]+);] user .*; not found: \/phpmyadmin\/|[client (?:::f{4,6}:)?(?P<host>[\w\-.^_]+);] user root: authentication failure for "\/phpmyadmin\/":'
2014-04-20 10:47:06,794 fail2ban.jail : INFO Jail 'ssh' started
2014-04-20 10:47:06,799 fail2ban.jail : INFO Jail 'pureftpd' started
2014-04-20 10:47:06,805 fail2ban.jail : INFO Jail 'phpmyadmin' started
My regex http://regex101.com/r/kU7tX3. What is wrong with this? Any help is appreciated. Thank you.
I would have asked a question in comment but i cannot add a comment:
So trying my best to understand the requirement and giving an answer.
Requirement: I think you are looking to filter all lines containing
"authentication failure for "/phpmyadmin/""
You can do so by changing your regular expression to following:
failregex = .*authentication failure for "\/phpmyadmin\/"
You may have to escape "
Please add comments if this wasn't the correct understanding.....
What am I doing wrong with this regex.
My requested url
http://domain.com/local/v11/full/#Q73Ps/
What I have in .htaccess
Options +FollowSymlinks
RewriteEngine On
RewriteRule ^local/v11/full/#([a-zA-Z0-9]+)/ local/v11/server/full.php?token=$1
The above rule always give me 404 error.
Added Logs
related apache error
[Thu Feb 09 14:04:21 2012] [error] [client 127.0.0.1] File does not exist: /path/to/folder/local/v11/full
related access logs
[09/Feb/2012:14:16:54 +0500] "GET /local/v11/full/ HTTP/1.1" 404 340
no re-write log
when you try to access: http://domain.com/local/v11/full/#Q73Ps/ browser send request for: http://domain.com/local/v11/full/ and doesn't consider #Q73Ps/ as part of URL. if you want to get your rewrite rule working replace # in URL with %23 and it will work.