CSF + Brute force phpmyadmin

anton1982

Verified User
Joined
Jun 12, 2016
Messages
43
Hi, yesterday I found a topic regarding this issue but is isn't very active anymore so I thought to put it here. The problem is that brute-force protection isn't working for phpmyadmin (it does for DA, Imap, etc.). Can anyone tell me the way to get this fixed? Or if the way it is described here is still the way to go?
http://forum.directadmin.com/showthread.php?t=43202&page=3
 
Did you enable it in csf.conf?
LF_DIRECTADMIN = "5"
LF_DIRECTADMIN_PERM = "1"
and
DIRECTADMIN_LOG_P = "/var/www/html/phpMyAdmin/log/auth.log"

If that is not working, it might be a bug and you might get better support on the CSF forums as this is not a DA issue.
 
@Richard G

Correct me if I'm wrong, but doesn't CSF just log access to phpMyAdmin, which is provided by http auth, and not actively restrict access? I've now reticted access to mine using .htaccess. (see thread I started a couple of days ago), although this won't suit everyone.

https://forum.directadmin.com/showthread.php?t=56971

Did you enable it in csf.conf?
LF_DIRECTADMIN = "5"
LF_DIRECTADMIN_PERM = "1"
and
DIRECTADMIN_LOG_P = "/var/www/html/phpMyAdmin/log/auth.log"

If that is not working, it might be a bug and you might get better support on the CSF forums as this is not a DA issue.
 
Correct me if I'm wrong, but doesn't CSF just log access to phpMyAdmin
I'm not sure if I understand correctly what you are trying to say. But my first respond would be no, that's wrong.
CSF is a iptables firewall shell, which does not log anything. It reads logfiles to detect if it has to block anything.
The auth.log in phpmyadmin is provided by phpmyadmin (or http auth if you want), not by CSF. So if it finds too many wrong logins in the auth file it will block the ip for access. There is no reason why this should not work with phpmyadmin (since the option is in the config) like with other options (mail, ftp etc.), unless it has a bug.

You can ofcourse restrict via .htaccess and there is even an option in CSF to block to many .htaccess logins when a .htpasswd is used. At least if it's logged by apache.

That's a choice. But brute force attempts will always keep taking place.
 
@Richard G

Thanks for the explanation. I understand what you're saying. My CSF settings were as you mentioned in your earlier post, but for some reason, DirectAdmin messaging system was repeatedly informing me that this one IP kept being allowed to repeatedly attempt to login via phpMyAdmin:

Subject: Brute-Force Attack detected in service log from IP(s) xxx.xxx.xxx.xx
A brute force attack has been detected in one of your service logs.

IP xxx.xxx.xxx.xx has 1677 failed login attempts: phpmyadmin3=1677

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404
10/02/2018 14:32

Since I restricted access to my IP only via .htacess, this has now stopped. What I don't know is what setting limits the number of failed login attempts an IP can make. If it was a bug, surely it would affect all DirectAdmin/CSF users, not just a couple of people who have posted here.

Regards
 
My settings are also exactly as @Richard G says. The logging in /var/www/html/phpMyAdmin/log/auth.log are working fine but the blocking part isn't.
 
Hey,

I wonder why don't you use CSF+Directadmin integration? Why do you need CSF to detect brute-force attempts when Directadmin can do it all for you?

Why do you think CSF/LFD understands what to do with /var/www/html/phpMyAdmin/log/auth.log ?
 
Here is an example of what we have here:

- somebody tried to brute-force phpMyAdmin:

Code:
[root@server ~]# cat /var/www/html/phpMyAdmin/log/auth.log
Oct 05 04:13:36 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:13:46 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:13:59 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:14:10 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:14:35 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:16:15 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:16:27 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:16:53 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:18:03 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:18:52 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:18:56 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:19:34 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:20:47 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:21:09 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:21:12 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:21:45 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:22:45 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:22:48 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:22:59 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:25:21 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:25:55 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:26:30 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:29:02 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:29:41 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:30:43 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:32:46 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:34:13 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:34:33 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:34:45 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:35:36 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 04:35:39 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
[root@server ~]#

- Directadmin detects the attacker and send a command to CSF to block it. And it's blocked:


Code:
[root@server ~]# csf -g 185.234.218.61


Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 185.234.218.61 in iptables




IPSET: Set:chain_DENY Match:185.234.218.61 Setting: File:/etc/csf/csf.deny


IPSET: Set:MESSENGER Match:185.234.218.61




ip6tables:


Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 185.234.218.61 in ip6tables


csf.deny: 185.234.218.61 # Blocked with Directadmin Brute Force Manager - Thu Oct  4 22:36:01 2018
[root@server ~]#

see: csf.deny: 185.234.218.61 # Blocked with Directadmin Brute Force Manager - Thu Oct 4 22:36:01 2018


Installation guide: https://forum.directadmin.com/showthread.php?t=44839&p=229244#post229244
 
Hi Alex,

I also have the logs
Code:
[root@shared6 csf]# cat /var/www/html/phpMyAdmin/log/auth.log
Oct 05 09:40:56 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 09:46:45 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 09:57:38 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 09:58:58 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:05:36 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:06:28 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:06:32 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:07:48 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:09:14 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:10:27 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:11:13 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:11:39 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:11:42 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:12:42 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:13:45 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:15:44 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:17:49 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:18:43 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:18:57 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:20:01 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:20:16 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:20:17 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:24:00 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:24:10 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:24:41 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:29:59 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:31:54 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:32:00 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:35:32 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:36:24 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:37:29 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:42:06 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:48:23 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:49:55 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:49:59 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
Oct 05 10:50:43 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'

But it does not get passed to CSF / iptables:
Code:
[root@shared6 csf]# csf -g 185.234.218.61

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 185.234.218.61 in iptables


ip6tables:

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 185.234.218.61 in ip6tables
 
Aha, I didn't know that CSF did only detect the entry's in that case and did not block them like it does with apache logs for example.
So CSF only passes it to the DA BFM monitor.

I've got a more simple script for BFM monitor which takes care of those blocks, so this explains why it was working in my case.
 
Funny. The IP 185.234.218.61 was the same as the one trying to access my server via phpMyAdmin also.
 
Back
Top