Extension:Fail2banlog

From MediaWiki.org
Jump to: navigation, search
MediaWiki extensions manual
Crystal Clear action run.png
fail2banlog

Release status: experimental

Implementation User activity
Description Writes a text file with IP of failed login as an input for the fail2ban software
Author(s) Laurent Chouraki (LaurentChourakitalk)
MediaWiki 1.11+
Database changes No
License No license specified
Download see here
Example 2008-02-09 10:47:15 CET Authentication error for MyUser from 10.2.5.221 on TestWiki
Parameters
  • $fail2banfile
  • $fail2banid
Hooks used
LoginAuthenticateAudit

Translate the Fail2banlog extension if it is available at translatewiki.net

Check usage and version matrix; code metrics

The Fail2banlog extension feeds "fail2ban" so you can block bruteforce attacks at the firewall level.

Usage[edit | edit source]

You will need fail2ban from fail2ban.org.

You have to add this to your fail2ban config (don't forget to change the file name) :

[MediaWiki]
enabled = true
logfile = /home/www/log/MWf2b.log
port = http
timeregex = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \S{3}
timepattern = %%Y-%%m-%%d %%H:%%M:%%S %%Z
failregex = Authentication error

With newer version of fail2ban, you may create a new filter file in /etc/fail2ban/filter.d named mediawiki.conf :

[Definition]
failregex = Authentication error .* from <HOST> on

And call it from /etc/fail2ban/jail.conf with something like :

[MediaWiki]
enabled = true
filter = mediawiki
action  = iptables-multiport[name=web, port="http,https", protocol=tcp]
logpath = /home/www/log/MWf2b.log
maxretry = 3

Download instructions[edit | edit source]

Please cut and paste the code found below and place it in $IP/extension/ExtensionName/fail2banlog.php. Note: $IP stands for the root directory of your MediaWiki installation, the same directory that holds LocalSettings.php.

Installation[edit | edit source]

To install this extension, add the following to LocalSettings.php:

$fail2banfile = "/home/www/log/MWf2b.log"; // the file fail2ban will read
$fail2banid = $wgSitename; // some info if you use the same file for many wikis
require_once( "$IP/extensions/fail2banlog.php" );

Configuration parameters[edit | edit source]

  • fail2banfile : The file written , be sure you php can write to it, you may want to rotate it with your logs.
  • fail2banid : a simple test appended to each line.

Code[edit | edit source]

<?php
 
$wgExtensionCredits['other'][] = array(
       'name' => 'fail2banlog',
       'author' =>'Laurent Chouraki', 
       'url' => 'https://www.mediawiki.org/wiki/Extension:Fail2banlog', 
       'description' => 'Writes a text file with IP of failed login as an input for the fail2ban software'
       );
 
$wgHooks['LoginAuthenticateAudit'][] = 'logBadLogin';
 
function logBadLogin($user, $password, $retval) {
global $fail2banfile;
global $fail2banid;
        if (    $retval == "SUCCESS"
                or $retval == "RESET_PASS"
                or $retval == "ABORTED"
        ) return true; // Do not log success or password send request, continue to next hook
	$time = date ("Y-m-d H:i:s T");
	$ip = $_SERVER['REMOTE_ADDR']; // wfGetIP() may yield different results for proxies
	$name = $user->getName(); 
	// append a line to the log
	error_log("$time Authentication error for $name from $ip on $fail2banid\n",3,$fail2banfile);
	return true; // continue to next hook
}