Extension:Fail2banlog
From MediaWiki.org
 Release status: experimental |
|||
|---|---|---|---|
| Implementation | User activity | ||
| Description | This extension writes a text file with IPs of failed logins attempts as an input to fail2ban. | ||
| Author(s) | Laurent Chouraki (LaurentChourakiTalk) | ||
| MediaWiki | 1.11 | ||
| License | No license specified | ||
| Download | http://www.mediawiki.org/wiki/Extension:Fail2banlog | ||
| Example | 2008-02-09 10:47:15 CET Authentication error for MyUser from 10.2.5.221 on TestWiki | ||
|
|||
|
|||
Contents |
[edit] What can this extension do?
This extension feeds fail2ban so you can block bruteforce attacks at the firewall level.
[edit] Usage
You will need fail2ban from fail2ban.org.
You have to add this to your fail2ban config (don't forget to change the file name) :
[MediaWiki]
enabled = true
logfile = /home/www/log/MWf2b.log
port = http
timeregex = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \S{3}
timepattern = %%Y-%%m-%%d %%H:%%M:%%S %%Z
failregex = Authentication error
With newer version of fail2ban, you may create a new filter file in /etc/fail2ban/filter.d named mediawiki :
[Definition] failregex = Authentication error .* from <HOST> on
And call it from /etc/fail2ban/jail.conf with something like :
[MediaWiki] enabled = true filter = mediawiki action = iptables-multiport[name=web, port="http,https", protocol=tcp] logpath = /home/www/log/MWf2b.log maxretry = 3
[edit] Download instructions
Please cut and paste the code found below and place it in $IP/extension/ExtensionName/fail2banlog.php. Note: $IP stands for the root directory of your MediaWiki installation, the same directory that holds LocalSettings.php.
[edit] Installation
To install this extension, add the following to LocalSettings.php:
$fail2banfile = "/home/www/log/MWf2b.log"; // the file fail2ban will read $fail2banid = $wgSitename; // some info if you use the same file for many wiki require_once( "$IP/extensions/fail2banlog.php" );
[edit] Configuration parameters
- fail2banfile : The file written , be sure you php can write to it, you may want to rotate it with your logs.
- fail2banid : a simple test appended to each line.
[edit] Code
<?php $wgExtensionCredits['other'][] = array( 'name' => 'fail2banlog', 'author' =>'Laurent Chouraki', 'url' => 'http://www.security-database.com', 'description' => 'This extension writes a text file with IP of failed login as an input to fail2ban.' ); $wgHooks['LoginAuthenticateAudit'][] = 'logBadLogin'; function logBadLogin($user, $password, $retval) { global $fail2banfile; global $fail2banid; if ( $retval == "SUCCESS" or $retval == "RESET_PASS" or $retval == "ABORTED" ) return true; // Do not log success or password send request, continue to next hook $time = date ("Y-m-d H:i:s T"); $ip = $_SERVER['REMOTE_ADDR']; // wfGetIP() may yield different results for proxies $name = $user->getName(); // append a line to the log error_log("$time Authentication error for $name from $ip on $fail2banid\n",3,$fail2banfile); return true; // continue to next hook }
