Extension:Fail2banlog

From MediaWiki.org
Jump to navigation Jump to search
MediaWiki extensions manual
Crystal Clear action run.svg
fail2banlog
Release status: experimental
Implementation User activity
Description Writes a text file with IP of failed login as an input for the fail2ban software
Author(s) Laurent Chouraki (LaurentChourakitalk)
MediaWiki 1.11+
Database changes No
License No license specified
Download see here
Example 2008-02-09 10:47:15 CET Authentication error for MyUser from 10.2.5.221 on TestWiki
Parameters
  • $fail2banfile
  • $fail2banid
Hooks used
LoginAuthenticateAudit
Translate the Fail2banlog extension if it is available at translatewiki.net
Check usage and version matrix.

The Fail2banlog extension feeds "fail2ban" so you can block bruteforce attacks at the firewall level.

Usage[edit]

You will need fail2ban from fail2ban.org.

You have to add this to your fail2ban config (don't forget to change the file name) :

[MediaWiki]
enabled = true
logfile = /home/www/log/MWf2b.log
port = http
timeregex = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \S{3}
timepattern = %%Y-%%m-%%d %%H:%%M:%%S %%Z
failregex = Authentication error

With newer version of fail2ban, you may create a new filter file in /etc/fail2ban/filter.d named mediawiki.conf :

[Definition]
failregex = Authentication error from <HOST> on .*
# note 2018/4/12- I have just tweaked the code to log entries compatible with the above.
# If in doubt, use fail2ban-regex to test your filter.

And call it from /etc/fail2ban/jail.conf with something like :

[MediaWiki]
enabled = true
filter = mediawiki
action  = iptables-multiport[name=web, port="http,https", protocol=tcp]
logpath = /home/www/log/MWf2b.log
maxretry = 3

Download instructions[edit]

Please cut and paste the code found below or below for version from 1.27.0 and place it in $IP/extension/ExtensionName/fail2banlog.php. Note: $IP stands for the root directory of your MediaWiki installation, the same directory that holds LocalSettings.php.

Installation[edit]

To install this extension, add the following to LocalSettings.php:

$fail2banfile = "/home/www/log/MWf2b.log"; // the file fail2ban will read
$fail2banid = $wgSitename; // some info if you use the same file for many wikis
require_once( "$IP/extensions/fail2banlog.php" );

Configuration parameters[edit]

  • fail2banfile : The file written , be sure you php can write to it, you may want to rotate it with your logs.
  • fail2banid : a simple test appended to each line.

Centos 7 Gotchas[edit]

  • Currently available fail2ban rpm installs 0.9.7. This is good for ipv4 only.
  • Check your regex in the filter. I did not immediately notice that the failregex earlier was incorrect (now fixed).
  • For MediaWiki, fail2ban will not parse the nominated log file unless you set backend=polling and couple that with a dangling journalmatch declaration in the jail.local file (read the comments for explanation there and here). Do this overriding of backend in its jail section in the jail.local file. DO NOT override backend globally in the file or you may hose other jails that depend on systemd, i.e. sshd.
  • The fail2ban config files as per this current day 2018-04-12 contain somewhat redundant statements and can be cleaned up, i.e. unless you are overriding it, redefining action is unnecessary. I also believe there is no need to touch the fail2ban.local file at all. I am unsure how other packages may differ so I have avoided changing them for now.

Code[edit]

<?php

$wgExtensionCredits['other'][] = array(
       'name' => 'fail2banlog',
       'author' =>'Laurent Chouraki', 
       'url' => 'https://www.mediawiki.org/wiki/Extension:Fail2banlog', 
       'description' => 'Writes a text file with IP of failed login as an input for the fail2ban software'
       );

$wgHooks['LoginAuthenticateAudit'][] = 'logBadLogin';
 
function logBadLogin($user, $password, $retval) {
global $fail2banfile;
global $fail2banid;
        if (    $retval == "SUCCESS"
                or $retval == "RESET_PASS"
                or $retval == "ABORTED"
        ) return true; // Do not log success or password send request, continue to next hook
	$time = date ("Y-m-d H:i:s T");
	$ip = $_SERVER['REMOTE_ADDR']; // wfGetIP() may yield different results for proxies
	$name = $user->getName(); 
	// append a line to the log
	// if you need the username in the log
        // use the commented line out and adjust the regex filter accordingly
        // error_log("$time Authentication error for $name from $ip on $fail2banid\n",3,$fail2banfile);
        error_log("$time Authentication error from $ip on $fail2banid\n",3,$fail2banfile);
	return true; // continue to next hook
}

Code for version from 1.27.0[edit]

<?php

$wgExtensionCredits['other'][] = array(
       'name' => 'fail2banlog',
       'author' =>'Laurent Chouraki',
       'url' => 'https://www.mediawiki.org/wiki/Extension:Fail2banlog',
       'description' => 'Writes a text file with IP of failed login as an input for the fail2ban software'
       );

//Modified by Andrey N. Petrov <andreynpetrov@gmail.com> for Mediawiki versions from 1.27.0

$wgHooks['AuthManagerLoginAuthenticateAudit'][] = 'logBadLogin';
 
function logBadLogin($response, $user, $username) {
global $fail2banfile;
global $fail2banid;
        if ( $response->status == "PASS" ) return true; // Do not log success or password send request, continue to next hook
        $time = date ("Y-m-d H:i:s T");
        $ip = $_SERVER['REMOTE_ADDR']; // wfGetIP() may yield different results for proxies

        // append a line to the log
        error_log("$time Authentication error from $ip on $fail2banid\n",3,$fail2banfile);
        return true; // continue to next hook
}