PHPMyAdmin brute force

[LtSich]

add scenarios for PHPMyAdmin brute force. I have a fail2ban filter on that : ^.GET.(?i)phpmyadmin/index.php\?pma_username=root. ^.GET.(?i)phpmyadmin/index.php\?lang=en&pma_username=admin. ^.GET.(?i)phpmyadmin/index.php\?lang=en&pma_username=root. ^.POST.(?i)phpmyadmin/index.php.

[LtSich]

On my side I use 2 personnal scenarios. As I never use the auth through GET I use a trigger scenario with this :

type: trigger name: si/pma description: "detect pma bruteforce with GET pma_username" debug: false

request on phpmyadmin

filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_path contains '/phpmyadmin/index.php?pma_username='" groupby: evt.Meta.source_ip

capacity: 1

leakspeed: "60s"

blackhole: 5m labels: service: http type: bruteforce remediation: true

And another scenario on POST /phpmyadmin/index.php This one is a leaky type.

type: leaky name: si/pma-post description: "detect pma bruteforce with POST" debug: false

request on index.php with POST

filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_dir == '/phpmyadmin/' && evt.Parsed.file_name == 'index.php' && evt.Parsed.verb == 'POST'" groupby: evt.Meta.source_ip capacity: 3 leakspeed: "60s" blackhole: 5m labels: service: http type: bruteforce remediation: true

Maybe this can give you some idea.

[LtSich]

Some improvement on the scenario to detect and ban on request with GET ?pma_username=

type: leaky
name: si/pma
description: "detect pma bruteforce with GET pma_username"
debug: false
# request on xmlrpc
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_dir == '/phpmyadmin/' && evt.Parsed.file_name == 'index.php' && (evt.Parsed.verb == 'POST' || evt.Parsed.http_args contains 'pma_username=')"
groupby: evt.Meta.source_ip
capacity: 3
leakspeed: "60s"
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true

[LaurenceJJones]

Link to #590