Extension:Fail2banlog

MediaWiki extensions manual
OOjs UI icon advanced.svg
fail2banlog
Release status: unmaintained
Implementation User activity
Description Writes a text file with IP of failed login as an input for the fail2ban software
Author(s) Laurent Chouraki (LaurentChourakitalk)
MediaWiki 1.27+
Database changes No
License No license specified
Download see here
Example 2008-02-09 10:47:15 CET Authentication error for MyUser from 10.2.5.221 on TestWiki

  • $wgfail2banfile
  • $wgfail2banid
Check usage and version matrix.

The Fail2banlog extension feeds "fail2ban" so you can block bruteforce attacks at the firewall level.

UsageEdit

You will need fail2ban from fail2ban.org.

You have to add this to your fail2ban config (don't forget to change the file name) :

[MediaWiki]
enabled = true
logfile = /home/www/log/MWf2b.log
port = http
timeregex = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \S{3}
timepattern = %%Y-%%m-%%d %%H:%%M:%%S %%Z
failregex = Authentication error

With newer version of fail2ban, you may create a new filter file in /etc/fail2ban/filter.d named mediawiki.conf :

[Definition]
failregex = Authentication error from <HOST> on .*
# note 2018/4/12- I have just tweaked the code to log entries compatible with the above.
# If in doubt, use fail2ban-regex to test your filter.

And call it from /etc/fail2ban/jail.conf with something like :

[MediaWiki]
enabled = true
filter = mediawiki
action  = iptables-multiport[name=web, port="http,https", protocol=tcp]
logpath = /home/www/log/MWf2b.log
maxretry = 3

InstallationEdit

  • Copy the code into a file called "Fail2banlog.php" and place the file(s) in a directory called Fail2banlog in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php:
    require_once "$IP/extensions/Fail2banlog/Fail2banlog.php";
    
  • Configure as required.
  •   Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

ConfigurationEdit

  • $wgfail2banfile
The file written, be sure your server can write to it, you may want to rotate it with your logs.
  • $wgfail2banid
A simple test appended to each line.

Centos 7 GotchasEdit

  • Currently available fail2ban rpm installs 0.9.7. This is good for ipv4 only.
  • Check your regex in the filter. I did not immediately notice that the failregex earlier was incorrect (now fixed).
  • For MediaWiki, fail2ban will not parse the nominated log file unless you set backend=polling and couple that with a dangling journalmatch declaration in the jail.local file (read the comments for explanation there and here). Do this overriding of backend in its jail section in the jail.local file. DO NOT override backend globally in the file or you may hose other jails that depend on systemd, i.e. sshd.
  • The fail2ban config files as per this current day 2018-04-12 contain somewhat redundant statements and can be cleaned up, i.e. unless you are overriding it, redefining action is unnecessary. I also believe there is no need to touch the fail2ban.local file at all. I am unsure how other packages may differ so I have avoided changing them for now.

CodeEdit

Fail2banlog.php
<?php
if ( !defined( 'MEDIAWIKI' ) ) {
	echo "This file is not a valid entry point.";
	exit( 1 );
}

$wgExtensionCredits['other'][] = array(
       'name' => 'fail2banlog',
       'author' => array ( 'Laurent Chouraki', 'Andrey N. Petrov' );
       'url' => 'https://www.mediawiki.org/wiki/Extension:Fail2banlog',
       'description' => 'Writes a text file with IP of failed login as an input for the fail2ban software'
       );

$wgHooks['AuthManagerLoginAuthenticateAudit'][] = 'logBadLogin';
 
function logBadLogin($response, $user, $username) {
global $wgfail2banfile;
global $wgfail2banid;
        if ( $response->status == "PASS" ) return true; // Do not log success or password send request, continue to next hook
        $time = date ("Y-m-d H:i:s T");
        $ip = $_SERVER['REMOTE_ADDR']; // wfGetIP() may yield different results for proxies

        // append a line to the log
        error_log("$time Authentication error from $ip on $wgfail2banid\n",3,$wgfail2banfile);
        return true; // continue to next hook
}