One of the biggest problems I have seen with Joomla is that the well-known administrator is public. You may protect it with some .htaccess configuration (I will publish some of that later), but the problem is that since most Joomla websites are hosted and residential Internet providers give you dynamic IP, protecting by IP is useless.
On the bright side, remember when you are installing Joomla, the super admin username is not any more admin. You can select a different one, which it makes really difficult to guess it. However, there is still the thread of the DoS, many failed attempts may run out of resources your Web server, and this is why we need fail2ban.
Usually, this should not be a big deal, but since ISPConfig takes over many configurations it is important to take note of this. ISPConfig 3 will not log anything in the common log places (a.k.a /var/log/httpd), instead, it will store the logs related to your website into the /var/www/yourwebsite/logs/ directory. Because of that, using the classic fail2ban Joomla plugin will not work for a whole server; it could work if you are only interested on protecting one website and you hardcode the log path name.
The Syslog Joomla Plugin
I have found this plugin that it seems to work. It injects failed logging attempts into the syslog. As I am using CentOS and Syslog is forwarded to the journal system I am able to use fail2ban with the systemd backend.
The plugin name is Syslog AuthLog, but you will not be able to install from the Joomla Web Installer, the link is broken. You will need to go to the developer's Github page and install it manually.
Configuring Fail2ban to Block Failed Attempts
Assuming you already have your fail2ban up and running, the first step is adding a valid filter expression. Edit or create the file filter.d/joomla-admin.conf with the following content:
failregex = .* WARNING login UNKNOWN ADMIN .* from $
Later, edit your jail.local and add the following:
enabled = true
port = http,ftp
filter = joomla-admin
maxretry = 2
bantime = 84600
findtime = 21150
action = iptables-allports[name=joomla, protocol=all]
backend = systemd
Change this configurations to fit your needs. You are done, restart fail2ban.
Good luck!blog comments powered by Disqus