How to protect your Joomla instance from brute force attacks with Fail2ban

If you administer at least one Joomla instance you’ll be subject to brute force attacks before or after. Fail2ban is a very nice service written in Python which periodically scans your log files looking for signs of brute force attacks and perform some actions when an attack is discovered. The most common actions is to ban the attacker IP at firewall level and send an email to the server administrator.

Fail2ban comes bundled with filters for many common services (ssh, apache authentication, etc.), but it lacks a built-in Joomla integration. Anyway it’s easy to add a Joomla filter to Fail2ban, here I explain how to do it.

Install Fail2ban

Installing fail2ban in a Debian based server is as simple as issuing the following command:

$ apt-get install fail2ban

Configuring Fail2ban properly is out of scope of this howto, you can find many resources online and in the official Fail2ban wiki.

Install Fail2ban Joomla plugin

To ease the integration of Fail2ban with Joomla authentication system you can install a Joomla fail2ban plugin using the standard Joomla plugin installation mechanism. This plugin logs Joomla authentication errors in the standard web server error log. There it will be easy for Fail2ban to scan for errors and ban the attackers IPs.

After installing and activating the plugin you’ll find something like this in your web server error log when user authentication fails in Joomla:

/var/log/apache2/mywebsite_error.log:[Mon Mar 31 10:13:58 2014] [error] [client 212.109.14.203] user mywebsite authentication failure

Fail2ban configuration

Save this Fail2ban filter in a file called joomla-error.conf and save it in /etc/fail2ban/filters.d:

[Definition]

# Option: failregex
# Notes.: matches something like:
# [Mon Mar 31 10:15:00 2014] [error] [client 212.109.14.203] user mywebsite authentication failure
# Values: TEXT
failregex = [[]client <HOST>[]] user .* authentication failure.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Add this jail to your /etc/fail2ban/jail.local:

[joomla-error]
enabled = true
port = http,https
filter = joomla-error
logpath = /var/log/apache2/*error.log
maxretry = 5

Reload fail2ban configuration with:

$ fail2ban-client reload

Be happy when an attacker gets banned

If you configured Fail2ban to send you an email when an attacker is banned you’ll receive an email with a text similar to the following:

The IP 212.109.14.203 has just been banned by Fail2Ban after
5 attempts against joomla-error.

The attacker IP here is left on purpose. I think it’s useful to expose attackers IP in public! 😉

Advertisements

12 thoughts on “How to protect your Joomla instance from brute force attacks with Fail2ban

  1. I can’t thank you enough for documenting this process. I was pleased to learn that there is a readily available fail2ban plug-in for Joomla (thank you, mediahof, for that!), which makes this process so very simple. I think I will kick-back and enjoy watching bots be banned. 🙂 Thanks again!

  2. hello, thank for this guide but I cant find this message in apache error_log: authentication failure when I try to force admin page

    Thank you

    • Thank you for information, the Joomla Extensions Directory site has been updated recently and the link has changed. Now I updated the link.

      I don’t think that the plugin will work on J1.5, because it’s advertised for J2.5+.

  3. To be honest I rather use my own regex. It blocks admin login and user login failures.

    failregex = user .* authentication failure.*client:

      • Sorry, the HOST part is getting filtered out.

        failregex = user .* authentication failure.*client: “less then symbol”HOST”greater than symbol”

  4. hi…sorry for my english…..i install and enable this extension and i do this step but fail2ban don’t block….how i can make this????

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s