If you administer at least one Joomla instance you’ll be subject to brute force attacks before or after. Fail2ban is a very nice service written in Python which periodically scans your log files looking for signs of brute force attacks and perform some actions when an attack is discovered. The most common actions is to ban the attacker IP at firewall level and send an email to the server administrator.
Fail2ban comes bundled with filters for many common services (ssh, apache authentication, etc.), but it lacks a built-in Joomla integration. Anyway it’s easy to add a Joomla filter to Fail2ban, here I explain how to do it.
Installing fail2ban in a Debian based server is as simple as issuing the following command:
$ apt-get install fail2ban
Configuring Fail2ban properly is out of scope of this howto, you can find many resources online and in the official Fail2ban wiki.
Install Fail2ban Joomla plugin
To ease the integration of Fail2ban with Joomla authentication system you can install a Joomla fail2ban plugin using the standard Joomla plugin installation mechanism. This plugin logs Joomla authentication errors in the standard web server error log. There it will be easy for Fail2ban to scan for errors and ban the attackers IPs.
After installing and activating the plugin you’ll find something like this in your web server error log when user authentication fails in Joomla:
/var/log/apache2/mywebsite_error.log:[Mon Mar 31 10:13:58 2014] [error] [client 220.127.116.11] user mywebsite authentication failure
Save this Fail2ban filter in a file called joomla-error.conf and save it in /etc/fail2ban/filters.d:
[Definition] # Option: failregex # Notes.: matches something like: # [Mon Mar 31 10:15:00 2014] [error] [client 18.104.22.168] user mywebsite authentication failure # Values: TEXT failregex = [client <HOST>] user .* authentication failure.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Add this jail to your /etc/fail2ban/jail.local:
[joomla-error] enabled = true port = http,https filter = joomla-error logpath = /var/log/apache2/*error.log maxretry = 5
Reload fail2ban configuration with:
$ fail2ban-client reload
Be happy when an attacker gets banned
If you configured Fail2ban to send you an email when an attacker is banned you’ll receive an email with a text similar to the following:
The IP 22.214.171.124 has just been banned by Fail2Ban after 5 attempts against joomla-error.
The attacker IP here is left on purpose. I think it’s useful to expose attackers IP in public! 😉