Extension:Fail2banlog

From MediaWiki.org
Jump to: navigation, search
MediaWiki extensions manualManual:Extensions
Crystal Clear action run.png
fail2banlog

Release status:Extension status experimental

ImplementationTemplate:Extension#type User activity
DescriptionTemplate:Extension#description Writes a text file with IP of failed login as an input for the fail2ban software
Author(s)Template:Extension#username Laurent Chouraki (LaurentChourakitalk)
MediaWikiTemplate:Extension#mediawiki 1.11+
Database changesTemplate:Extension#needs-updatephp No
LicenseTemplate:Extension#license No license specified
Download see here
ExampleTemplate:Extension#example 2008-02-09 10:47:15 CET Authentication error for MyUser from 10.2.5.221 on TestWiki
ParametersTemplate:Extension#parameters
  • $fail2banfile
  • $fail2banid
Hooks usedTemplate:Extension#hook
LoginAuthenticateAudit

Translate the Fail2banlog extension if it is available at translatewiki.net

Check usage and version matrix.

The Fail2banlog extension feeds "fail2ban" so you can block bruteforce attacks at the firewall level.

Usage[edit]

You will need fail2ban from fail2ban.org.

You have to add this to your fail2ban config (don't forget to change the file name) :

[MediaWiki]
enabled = true
logfile = /home/www/log/MWf2b.log
port = http
timeregex = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \S{3}
timepattern = %%Y-%%m-%%d %%H:%%M:%%S %%Z
failregex = Authentication error

With newer version of fail2ban, you may create a new filter file in /etc/fail2ban/filter.d named mediawiki.conf :

[Definition]
failregex = Authentication error .* from <HOST> on

And call it from /etc/fail2ban/jail.conf with something like :

[MediaWiki]
enabled = true
filter = mediawiki
action  = iptables-multiport[name=web, port="http,https", protocol=tcp]
logpath = /home/www/log/MWf2b.log
maxretry = 3

Download instructions[edit]

Please cut and paste the code found below and place it in $IP/extension/ExtensionName/fail2banlog.php. Note: $IP stands for the root directory of your MediaWiki installation, the same directory that holds LocalSettings.php.

Installation[edit]

To install this extension, add the following to LocalSettings.php:

$fail2banfile = "/home/www/log/MWf2b.log"; // the file fail2ban will read
$fail2banid = $wgSitename; // some info if you use the same file for many wikis
require_once( "$IP/extensions/fail2banlog.php" );

Configuration parameters[edit]

  • fail2banfile : The file written , be sure you php can write to it, you may want to rotate it with your logs.
  • fail2banid : a simple test appended to each line.

Code[edit]

<?php

$wgExtensionCredits['other'][] = array(
       'name' => 'fail2banlog',
       'author' =>'Laurent Chouraki', 
       'url' => 'https://www.mediawiki.org/wiki/Extension:Fail2banlog', 
       'description' => 'Writes a text file with IP of failed login as an input for the fail2ban software'
       );

$wgHooks['LoginAuthenticateAudit'][] = 'logBadLogin';
 
function logBadLogin($user, $password, $retval) {
global $fail2banfile;
global $fail2banid;
        if (    $retval == "SUCCESS"
                or $retval == "RESET_PASS"
                or $retval == "ABORTED"
        ) return true; // Do not log success or password send request, continue to next hook
	$time = date ("Y-m-d H:i:s T");
	$ip = $_SERVER['REMOTE_ADDR']; // wfGetIP() may yield different results for proxies
	$name = $user->getName(); 
	// append a line to the log
	error_log("$time Authentication error for $name from $ip on $fail2banid\n",3,$fail2banfile);
	return true; // continue to next hook
}