fail2ban jail for Joomla (all releases: 1.5 - 2.5 - 3.xx)

NOTES: - this version works only for ITALIAN LOCALIZATION but can be easily customized for any other language... - Joomla site has to be configured to report logging errors (see Global Configuration) - Standard Joomla log in <siteroot>/logs/error.php 1. ---------------------------------------------- In file /etc/fail2ban/jail.conf add: # # Joomla-Login [LK] # [joomla-login-lk] # Joomla BruteForce/DDOS enabled = true port = http,https filter = joomla-login.lk logpath = /var/www/<MyJoomlaSite>/logs/error.php # logpath has to point to your log file(s) # logpath = any absolute path to error.php (or any other) log file(s) # WILDCARDS are accepted! # Example (multiple sites): # logpath = /var/www/Joomla/*/logs/error.php maxretry = 3 2. ---------------------------------------------- In folder /etc/fail2ban/filter.d create file joomla-login.lk.conf (set owner/permissions to root:root / 644) and fill it with: # Fail2Ban configuration file # # Author: Luca Lanari # Rule by : Luca Lanari # # $Revision$ # [Definition] # pattern(s): # #2014-05-18 19:32:21 - 91.200.12.25 FAILURE: User does not exist #2014-05-18 19:34:04 - 91.200.12.25 FAILURE: User does not exist #2014-05-18 19:40:43 - 91.200.12.25 FAILURE: User does not exist #2014-05-18 19:58:58 - 91.200.12.25 FAILURE: User does not exist # #2013-03-19 13:42:47 - 82.184.61.49 FAILURE: Invalid password #2013-03-19 14:17:10 - 82.184.61.49 FAILURE: Invalid password #2013-03-19 19:08:23 - 87.14.64.132 FAILURE: Invalid password #2013-03-19 19:09:05 - 87.14.64.132 FAILURE: Invalid password # #2014-09-23T17:22:20+00:00 INFO 79.16.115.30 joomlafailure Nome utente e password non corretti o non hai ancora un account. #2014-09-24T12:55:49+00:00 INFO 88.54.227.170 joomlafailure Password vuota non consentita #2015-10-13T15:17:16+00:00 INFO 79.45.163.125 cookiefailure Password vuota non consentita ("") # # Option: failregex # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # # LK - New version - OPTMIZED (good for J1.5 - J2.5 - J3.xx) failregex = ^\t-\t<HOST>\t\ FAILURE:\ \tUser does not exist.*$ ^\t-\t<HOST>\t\ FAILURE:\ \tInvalid password.*$ ^\t-\t<HOST>\t\ FAILURE:\ \tEmpty password not allowed.*$ ^\tINFO\t<HOST>\tJoomla\ FAILURE:\ \tNome\ utente\ e\ password\ non\ corretti.*$ ^\tINFO\t<HOST>\tJoomla\ FAILURE:\ \tPassword\ vuota\ non\ consentita.*$ ^\tINFO\t<HOST>\tJoomla\ FAILURE:\ \tUsername\ e\ Password\ non\ coincidono.*$ ^\tINFO\ <HOST>\tjoomlafailure\tNome\ utente\ e\ password\ non\ corretti.*$ ^\tINFO\ <HOST>\tjoomlafailure\tUsername\ e\ Password\ non\ coincidono.*$ ^\tINFO\ <HOST>\tjoomlafailure\tPassword\ vuota\ non\ consentita.*$ ^\tINFO\ <HOST>\tcookiefailure\tNome\ utente\ e\ password\ non\ corretti.*$ ^\tINFO\ <HOST>\tcookiefailure\tUsername\ e\ Password\ non\ coincidono.*$ ^\tINFO\ <HOST>\tcookiefailure\tPassword\ vuota\ non\ consentita.*$ # Option: ignoreregex # # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =