Question Plesk Fail2Ban Rule for Joomla

[t.van.der.plas]

Hi all,

i have been trying to add some custom rule to fail2ban to block joomla brute force attacks - the error.php in joomla logs directory show the following entries (ip is shown in full):

2021-08-24T13:47:54+00:00 INFO 1xx.1xx.3x.1xx joomlafailure Username and password do not match or you do not have an account yet. ("admin")

the ruleset should - at least as far as i understand fail2ban - look like this:

FILTER:
[Definition]
failregex = ^.*INFO <HOST>.*joomlafailure.*(Benutzername|Username).*

JAIL:
[joomla-login-errors]
enabled = true
filter = joomla-login-errors
action = iptables-multiport[name="joomla-login-errors", port="http,https"]
logpath = /var/www/vhosts/*/httpdocs/tmp/error.php
/var/www/vhosts/*/httpdocs/logs/error.php
/var/www/vhosts/*/httpdocs/administrator/logs/error.php
maxretry = 3

unfortunately, those attempts are not blocked - did some of you guys succeed in defining a joomla jail?

 

[IgorG]

You can vote for this feature here Fail2ban Joomla Login Support
And please pay attention to this comment:

This is impossible. Because Joomla returns an HTTP 200 when a login fails, where WordPress (as it should) returns a 401. Fail2Ban checks for those 401 return codes and bans accordingly.

Because Joomla always returns 200 (regardless of whether the login succeeded or not) there is no way to check for failed logins.

 

[t.van.der.plas]

Hi Igor,

many thanks - in the feature request you mentioned, there was some comment:

You can use Fail2ban with Joomla, but will need a regx creating to read joomla logs
/var/www/vhosts/*/httpdocs/log/error.php

so íve been trying to get this up & running somehow