Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By matt.lowe on
Hi,
We are using Drupal on our site and have noticed a lot of attempts to access pages from several IP addresses.
These pages range from the Drupal login page to all sorts of other CMS login paths.
Normally under linux i would use a script like fail2ban (www.fail2ban.org) which would block the IP addresses (normally via iptables) if the program detected failed logins via the normal linux logs.
Is there something like this for Drupal, or has someone allready created a regex/filter for fail2ban that will allow fail2ban to operate with a log from drupal.
Matt
Comments
Did you ever find solution to this?
Just wondering if you ever found a way to do this without having to block manually. Right now I have to keep adding a block to iptable on my server.
Drupal 7
Drupal 7 allows you to block IP addresses from the admin menu. It also automatically temporarily blocks IP addresses that have 5 failed login attempts.
fail2ban with drupal for failed logins ban
Here is the solution with fail2ban, drupal and here Ubuntu. You need root (ssh) access to do this.
This works with drupal 6 or more.
Install fail2ban with "apt-get install fail2ban"
In drupal, activate the syslog module (for all of your websites if you have more)
Create the /etc/fail2ban/jail.local file with:
Create the /etc/fail2ban/filter.d/drupal-fail2ban.conf file with:
Restart the service:
/etc/init.d/fail2ban restart
This will ban an IP after 5 failed login attemps for 5 days.
You can watch the banning live with tail -f /var/log/fail2ban.log
:)
Thanks to this guy for the regex code : http://demiurgz.ru/node/12
For this in French, go here
For this in French, go here http://www.alexandreracine.com/comment_bloquer_les_tentatives_de_branche...
A few more notes, also using with CSF firewall
Wanted to add, you need the Drupal module.
https://www.drupal.org/project/fail2ban
Don't forget to turn on the Drupal syslog module.
Also, the fail2ban module, in CentOS will likely default to /var/log/messages
So, you'll need to change the logpath from above to match:
logpath = /var/log/messages
There isn't an action specified, you could use one of the built in actions, like iptables-allports.conf
To use that you would add a line after the filter line:
action = iptables-allports.conf
However I use the excellent csf firewall.
http://www.configserver.com/cp/csf.html
So I wanted to use csf to handle iptables and dropping the bad IP.
This article helped.
http://www.digitalfaq.com/forum/web-tech/5692-fail2ban-csf-blocking.html
Here's how my conf files ended up, its working well.
FILE: /etc/fail2ban/jail.local
FILE /etc/fail2ban/filter.d/drupal-fail2ban.conf
FILE /etc/fail2ban/action.d/csf-ip-deny.conf
Jay