If like me, you manage one or more Joomla websites, you will no doubt be aware of the sorry lack of user friendly documentation and the appalling lack of a powerful native log facility. This seems to me to be an enormous oversight on the part of the developers however it is possible with a little jiggery pokery to get the information you need.
I noticed recently that there were enormous amounts (1500 per day) of failed login attempts at the default backend URL (site.com/administrator/). This is to be expected of any installation like this however one cannot help but feel uneasy at the incessant minute by minute brute force dictionary attacks rolling by in the log. If your passwords are secure then you'll almost certainly be fine. If your administrator username is anything but admin, you'll be even better. Still I wasn't satisfied and I decided to call in the big guns.
When it comes to defence against brute force attacks, few tools are better than Fail2ban. In the words of Wikipedia:
"Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper."
It really is a great tool for defending against the legions of casual script kiddies.
So, to work. I needed to configure F2B to ban anybody (any address) which appeared regularly in the log as having failed authentication. First I needed to find the logs.
It turns out that the logs are to be found at System > Global Configuration > System > Path to Log Folder. On my system this was in ~mysite/administrator/logs. Who knew!
Armed with this information it was time to set up F2B.
I already had F2B set up covering such things as sendmail and sshd so it was just a matter of adding support for a new service. I won't go into detail about setting up F2B from scratch as there are plenty of good guides out there covering that.
It was the paucity of guides covering the addition of a service to F2B however which prompted me to write this post. There just doesn't seem to be one which is set out properly and logically so Ill do my best to cover it here.
First, it is necessary to navigate to /etc/fail2ban/filter.d/ and create a new filter file to protect Joomla. I called mine joomla-login.conf and its contents are shown below.
# Fail2Ban configuration file
#
# Author: Paula Livingstone
# Rule by : Paula Livingstone
[Definition]
# pattern(s):
#2018-10-12T09:23:16+00:00 INFO 185.206.225.144 joomlafailure Username and password do not match or you do not have an account yet. ("admin")
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# OPTMISED REGEX (good for J1.5 - J2.5 - J3.xx)
failregex = ^\tINFO\ <HOST>\tjoomlafailure\tUsername and password do not match or you do not have an account yet.*$
This file tells F2B the make up of the lines in the log and, by using Regex, enables it to parse the necessary information from the lines within the log.
Having completed this, we now need to add an entry to our jail.local file which can be found at /etc/fail2ban/jail.local. Within this file we add the following:
[joomla-login]
# Joomla BruteForce/DDOS
enabled = true
port = http,https
filter = joomla-login
logpath = {insert your absolute path here}/administrator/logs/error.php
# logpath has to point to your log file(s)
# logpath = any absolute path to error.php (or any other) log file(s)
maxretry = 3
So, all that remained was to restart the F2B service and watch the attackers get banned. F2B has the facility to send an email each time it carries out a given action so this is no great shakes to set up and watch the fireworks.
Comment below if you feel the need. Happy hunting...
