fail2ban

Hardus

Member
[pre]
You are using DaDaBIK version 10.6-Manarola enterprise, installed on 03-07-2021, the latest version of DaDaBIK is 10.6-Manarola released on 01-26-2021

System info
PHP Version: 7.3.27

mysql version: 5.5.5-10.3.27-MariaDB

Web server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1g

Client: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36

URL installation: http://IP-of-Server/dadabik/
[/pre]


Im trying to "Secure" my sever more with fail2ban, im trying to find the log file where the failed logins are logged.

/var/log/httpd/access_log shows like this:

[pre]
102.65.8.179 - - [08/Mar/2021:11:12:47 +0000] "POST /login.php?function=check_login HTTP/1.1" 200 40732 "https://dadabik.hbit.co.za/login.php?function=check_login" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
102.65.8.179 - - [08/Mar/2021:11:12:52 +0000] "POST /login.php?function=check_login HTTP/1.1" 200 40732 "https://dadabik.hbit.co.za/login.php?function=check_login" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
102.65.8.179 - - [08/Mar/2021:11:12:58 +0000] "POST /login.php?function=check_login HTTP/1.1" 200 40837 "https://dadabik.hbit.co.za/login.php?function=check_login" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
102.65.8.179 - - [08/Mar/2021:11:13:07 +0000] "POST /login.php?function=check_login HTTP/1.1" 200 40837 "https://dadabik.hbit.co.za/login.php?function=check_login" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
102.65.8.179 - - [08/Mar/2021:11:13:27 +0000] "-" 408 - "-" "-"
54.221.27.173 - - [08/Mar/2021:11:26:05 +0000] "GET / HTTP/1.1" 301 235 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"
54.221.27.173 - - [08/Mar/2021:11:26:05 +0000] "GET / HTTP/1.1" 302 - "http://dadabik.hbit.co.za" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"
54.221.27.173 - - [08/Mar/2021:11:26:05 +0000] "GET /login.php?function=show_login_form HTTP/1.1" 301 269 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"
54.221.27.173 - - [08/Mar/2021:11:26:06 +0000] "GET /login.php?function=show_login_form HTTP/1.1" 200 40665 "http://dadabik.hbit.co.za/login.php?function=show_login_form" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"
[/pre]

If this is not the correct method, please advise elsewise.
 

chrisj

New member
Hello,
The acces_log will not log data passed to/from the PHP modules. It will only give you the source address, the URL, the result code and the web browser string. I am also interested in seeing various security events, like failed logins. THe way I would approach it is to modify the login.php to output result data for authentication, however, it is encrypted with ioncube, and will ahve to be updated at the source by dadabik developer.

Just my two cents, but still am curious how the application logs. From what I can tell, there is no logging provided for internal operation of your apps. I am sure you can try to output log data from your own custom functions/modules, however, this does not help us in the case of logging user access activity. Other things that may be good to log are:
1. success/fail logins
2. user adds/changes/deletes
3. group changes/membership
4. permissions changes on fields/tables

Regards,
Chris
 

TNewshel

New member
Has anyone followed-up on this issue/question? I too am trying to use fail2ban to limit the number of successive failed login attempts to the default DaDaBIK login.php page.
 
Top