Extension:Fail2banlog

The Fail2banlog extension feeds "fail2ban" so you can block bruteforce attacks at the firewall level.

Usage
You will need fail2ban from fail2ban.org.

You have to add this to your fail2ban config (don't forget to change the file name) :

[MediaWiki] enabled = true logfile = /home/www/log/MWf2b.log port = http timeregex = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \S{3} timepattern = %%Y-%%m-%%d %%H:%%M:%%S %%Z failregex = Authentication error

With newer version of fail2ban, you may create a new filter file in /etc/fail2ban/filter.d named mediawiki.conf : [Definition] failregex = Authentication error from  on .*
 * 1) note 2018/4/12- I have just tweaked the code to log entries compatible with the above.
 * 2) If in doubt, use fail2ban-regex to test your filter.

And call it from /etc/fail2ban/jail.conf with something like : [MediaWiki] enabled = true filter = mediawiki action = iptables-multiport[name=web, port="http,https", protocol=tcp] logpath = /home/www/log/MWf2b.log maxretry = 3

Download instructions
Please cut and paste the code found below or below for version from 1.27.0 and place it in. Note: $IP stands for the root directory of your MediaWiki installation, the same directory that holds LocalSettings.php.

Installation
To install this extension, add the following to LocalSettings.php:

Configuration parameters

 * fail2banfile : The file written, be sure you php can write to it, you may want to rotate it with your logs.
 * fail2banid : a simple test appended to each line.

Centos 7 Gotchas

 * Currently available fail2ban rpm installs 0.97. This is good for ipv4 only.
 * Check your regex in the filter. I did not immediately notice that the failregex earlier was incorrect (now fixed).
 * For MediaWiki, fail2ban will not parse the nominated log file unless you set  and couple that with a dangling journalmatch declaration in the jail.local file (read the comments for explanation there). Do this overriding of backend in its jail section in the jail.local file, do not override backend globally in the file or you may hose other jails that depend on systemd.
 * The fail2ban config files as per this current day 2018-04-12 contain somewhat redundant statements and can be cleaned up, i.e. unless you are overriding it, defining action is unnecessary if you have used fail2ban per instructions to a tee so far, it should default to action_. I also believe there is no need to touch the fail2ban.local file at all. I am unsure how other packages may differ so I have avoided changing them for now.