Results 1 to 14 of 14

Thread: CSF + Brute force phpmyadmin

  1. #1
    Join Date
    Jun 2016
    Posts
    40

    CSF + Brute force phpmyadmin

    Hi, yesterday I found a topic regarding this issue but is isn't very active anymore so I thought to put it here. The problem is that brute-force protection isn't working for phpmyadmin (it does for DA, Imap, etc.). Can anyone tell me the way to get this fixed? Or if the way it is described here is still the way to go?
    http://forum.directadmin.com/showthr...t=43202&page=3

  2. #2
    Join Date
    Apr 2013
    Location
    London
    Posts
    45
    +1 on this issue. Also need advice.

  3. #3
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,583
    Did you enable it in csf.conf?
    LF_DIRECTADMIN = "5"
    LF_DIRECTADMIN_PERM = "1"
    and
    DIRECTADMIN_LOG_P = "/var/www/html/phpMyAdmin/log/auth.log"

    If that is not working, it might be a bug and you might get better support on the CSF forums as this is not a DA issue.
    Greetings, Richard.

  4. #4
    Join Date
    Apr 2013
    Location
    London
    Posts
    45
    @Richard G

    Correct me if I'm wrong, but doesn't CSF just log access to phpMyAdmin, which is provided by http auth, and not actively restrict access? I've now reticted access to mine using .htaccess. (see thread I started a couple of days ago), although this won't suit everyone.

    https://forum.directadmin.com/showthread.php?t=56971

    Quote Originally Posted by Richard G View Post
    Did you enable it in csf.conf?
    LF_DIRECTADMIN = "5"
    LF_DIRECTADMIN_PERM = "1"
    and
    DIRECTADMIN_LOG_P = "/var/www/html/phpMyAdmin/log/auth.log"

    If that is not working, it might be a bug and you might get better support on the CSF forums as this is not a DA issue.

  5. #5
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,583
    Correct me if I'm wrong, but doesn't CSF just log access to phpMyAdmin
    I'm not sure if I understand correctly what you are trying to say. But my first respond would be no, that's wrong.
    CSF is a iptables firewall shell, which does not log anything. It reads logfiles to detect if it has to block anything.
    The auth.log in phpmyadmin is provided by phpmyadmin (or http auth if you want), not by CSF. So if it finds too many wrong logins in the auth file it will block the ip for access. There is no reason why this should not work with phpmyadmin (since the option is in the config) like with other options (mail, ftp etc.), unless it has a bug.

    You can ofcourse restrict via .htaccess and there is even an option in CSF to block to many .htaccess logins when a .htpasswd is used. At least if it's logged by apache.

    That's a choice. But brute force attempts will always keep taking place.
    Greetings, Richard.

  6. #6
    Join Date
    Apr 2013
    Location
    London
    Posts
    45
    @Richard G

    Thanks for the explanation. I understand what you're saying. My CSF settings were as you mentioned in your earlier post, but for some reason, DirectAdmin messaging system was repeatedly informing me that this one IP kept being allowed to repeatedly attempt to login via phpMyAdmin:

    Subject: Brute-Force Attack detected in service log from IP(s) xxx.xxx.xxx.xx
    A brute force attack has been detected in one of your service logs.

    IP xxx.xxx.xxx.xx has 1677 failed login attempts: phpmyadmin3=1677

    Check 'Admin Level -> Brute Force Monitor' for more information
    http://help.directadmin.com/item.php?id=404
    10/02/2018 14:32
    Since I restricted access to my IP only via .htacess, this has now stopped. What I don't know is what setting limits the number of failed login attempts an IP can make. If it was a bug, surely it would affect all DirectAdmin/CSF users, not just a couple of people who have posted here.

    Regards

  7. #7
    Join Date
    Jun 2016
    Posts
    40
    My settings are also exactly as @Richard G says. The logging in /var/www/html/phpMyAdmin/log/auth.log are working fine but the blocking part isn't.

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,569
    Hey,

    I wonder why don't you use CSF+Directadmin integration? Why do you need CSF to detect brute-force attempts when Directadmin can do it all for you?

    Why do you think CSF/LFD understands what to do with /var/www/html/phpMyAdmin/log/auth.log ?

  9. #9
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,569
    Here is an example of what we have here:

    - somebody tried to brute-force phpMyAdmin:

    Code:
    [root@server ~]# cat /var/www/html/phpMyAdmin/log/auth.log
    Oct 05 04:13:36 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:13:46 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:13:59 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:14:10 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:14:35 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:16:15 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:16:27 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:16:53 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:18:03 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:18:52 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:18:56 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:19:34 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:20:47 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:21:09 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:21:12 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:21:45 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:22:45 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:22:48 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:22:59 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:25:21 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:25:55 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:26:30 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:29:02 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:29:41 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:30:43 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:32:46 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:34:13 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:34:33 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:34:45 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:35:36 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 04:35:39 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    [root@server ~]#
    - Directadmin detects the attacker and send a command to CSF to block it. And it's blocked:


    Code:
    [root@server ~]# csf -g 185.234.218.61
    
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
    No matches found for 185.234.218.61 in iptables
    
    
    
    
    IPSET: Set:chain_DENY Match:185.234.218.61 Setting: File:/etc/csf/csf.deny
    
    
    IPSET: Set:MESSENGER Match:185.234.218.61
    
    
    
    
    ip6tables:
    
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
    No matches found for 185.234.218.61 in ip6tables
    
    
    csf.deny: 185.234.218.61 # Blocked with Directadmin Brute Force Manager - Thu Oct  4 22:36:01 2018
    [root@server ~]#
    see: csf.deny: 185.234.218.61 # Blocked with Directadmin Brute Force Manager - Thu Oct 4 22:36:01 2018


    Installation guide: https://forum.directadmin.com/showth...244#post229244

  10. #10
    Join Date
    Jun 2016
    Posts
    40
    Hi Alex,

    I also have the logs
    Code:
    [root@shared6 csf]# cat /var/www/html/phpMyAdmin/log/auth.log
    Oct 05 09:40:56 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 09:46:45 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 09:57:38 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 09:58:58 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:05:36 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:06:28 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:06:32 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:07:48 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:09:14 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:10:27 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:11:13 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:11:39 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:11:42 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:12:42 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:13:45 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:15:44 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:17:49 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:18:43 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:18:57 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:20:01 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:20:16 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:20:17 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:24:00 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:24:10 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:24:41 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:29:59 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:31:54 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:32:00 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:35:32 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:36:24 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:37:29 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:42:06 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:48:23 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:49:55 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:49:59 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    Oct 05 10:50:43 phpmyadmin: user denied: 'domain[8]' (mysql-denied) from '185.234.218.61'
    But it does not get passed to CSF / iptables:
    Code:
    [root@shared6 csf]# csf -g 185.234.218.61
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination         
    No matches found for 185.234.218.61 in iptables
    
    
    ip6tables:
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination         
    No matches found for 185.234.218.61 in ip6tables

  11. #11
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,569
    It won't be passed to CSF if you did not complete CSF+Directadmin BFM integration described here: https://forum.directadmin.com/showth...244#post229244

    It's not enabled by default.

    Related:

    - https://forum.directadmin.com/showthread.php?t=44839
    - https://help.directadmin.com/item.php?id=527

  12. #12
    Join Date
    Jun 2016
    Posts
    40
    Ok, thx. The topic you mention is quite large but the "permanent link to the how to" is https://help.poralix.com/articles/ho...irectadmin-bfm, I will try this. Thx again.

  13. #13
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,583
    Aha, I didn't know that CSF did only detect the entry's in that case and did not block them like it does with apache logs for example.
    So CSF only passes it to the DA BFM monitor.

    I've got a more simple script for BFM monitor which takes care of those blocks, so this explains why it was working in my case.
    Greetings, Richard.

  14. #14
    Join Date
    Apr 2013
    Location
    London
    Posts
    45
    Funny. The IP 185.234.218.61 was the same as the one trying to access my server via phpMyAdmin also.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •