By matt.lowe on

Hi,
We are using Drupal on our site and have noticed a lot of attempts to access pages from several IP addresses.
These pages range from the Drupal login page to all sorts of other CMS login paths.

Normally under linux i would use a script like fail2ban (www.fail2ban.org) which would block the IP addresses (normally via iptables) if the program detected failed logins via the normal linux logs.

Is there something like this for Drupal, or has someone allready created a regex/filter for fail2ban that will allow fail2ban to operate with a log from drupal.

Matt

Categories: Drupal 6.x

Comments

PMorris’s picture

PMorris commented

Just wondering if you ever found a way to do this without having to block manually. Right now I have to keep adding a block to iptable on my server.

kscott22’s picture

kscott22 commented

Drupal 7 allows you to block IP addresses from the admin menu. It also automatically temporarily blocks IP addresses that have 5 failed login attempts.

alexandreracine’s picture

alexandreracine commented

Here is the solution with fail2ban, drupal and here Ubuntu. You need root (ssh) access to do this.

This works with drupal 6 or more.

Install fail2ban with "apt-get install fail2ban"

In drupal, activate the syslog module (for all of your websites if you have more)

Create the /etc/fail2ban/jail.local file with:

[drupal-fail2ban]

enabled  = true
port     = http,https
protocol = tcp
filter   = drupal-fail2ban
logpath  = /var/log/syslog
maxretry = 5
findtime = 86400
bantime  = 432000

Create the /etc/fail2ban/filter.d/drupal-fail2ban.conf file with:

[Definition]
failregex = \|user\|<HOST>\|.*\|Login attempt failed (.+)\.$
ignoreregex =

Restart the service:
/etc/init.d/fail2ban restart

This will ban an IP after 5 failed login attemps for 5 days.

You can watch the banning live with tail -f /var/log/fail2ban.log
:)

Thanks to this guy for the regex code : http://demiurgz.ru/node/12

alexandreracine’s picture

alexandreracine commented

For this in French, go here http://www.alexandreracine.com/comment_bloquer_les_tentatives_de_branche...

JayLevine’s picture

JayLevine commented

Wanted to add, you need the Drupal module.

https://www.drupal.org/project/fail2ban

Don't forget to turn on the Drupal syslog module.

Also, the fail2ban module, in CentOS will likely default to /var/log/messages

So, you'll need to change the logpath from above to match:

logpath = /var/log/messages

There isn't an action specified, you could use one of the built in actions, like iptables-allports.conf

To use that you would add a line after the filter line:
action = iptables-allports.conf

However I use the excellent csf firewall.
http://www.configserver.com/cp/csf.html

So I wanted to use csf to handle iptables and dropping the bad IP.

This article helped.
http://www.digitalfaq.com/forum/web-tech/5692-fail2ban-csf-blocking.html

Here's how my conf files ended up, its working well.

FILE: /etc/fail2ban/jail.local

[drupal-fail2ban]
enabled  = true
port     = http,https
protocol = tcp
filter   = drupal-fail2ban
action = csf-ip-deny[name=drupal]
logpath  = /var/log/messages
maxretry = 5
findtime = 86400
bantime  = 21600

FILE /etc/fail2ban/filter.d/drupal-fail2ban.conf

[Definition]
failregex = \|user\|<HOST>\|.*\|Login attempt failed (.+)\.$
ignoreregex =

FILE /etc/fail2ban/action.d/csf-ip-deny.conf

# CSF / fail2ban integration from The Digital FAQ (digitalFAQ.com)

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = csf -d <ip> Added by Fail2Ban for <name>
actionunban = csf -dr <ip>

[Init] name = default

# Read more: http://www.digitalfaq.com/forum/web-tech/5692-fail2ban-csf-blocking.html#ixzz3Jfzkmx00

Jay