How to add MySQL filter to fail2ban on Plesk?

Question

As you have noticed, Plesk doesn't come with a MySQL filter integrated natively for fail2ban, so we are not able to create a jail for this service.

There is a way to add it but is not so elegant.

What can I do to add support for MySQL on fail2ban provided by Plesk?

Answer 1

1. Go to "Tools & Settings"
2. Click over IP Address Banning (Fail2Ban)
3. Click on tab "Jails"
4. Click the button "Manage filters"
5. Click on "Add filter"

Set the title "mysqld-auth" and this content:

# Fail2Ban filter for unsuccessful MySQL authentication attempts
#
#
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
# log-error=/var/log/mysqld.log
# log-warning = 2
#
# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local before = common.conf

[Definition]

_daemon = mysqld

failregex = ^%(__prefix_line)s(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[\w+\] Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$

ignoreregex =

# DEV Notes:
#
# Technically __prefix_line can equate to an empty string hence it can support
# syslog and non-syslog at once.
# Example:
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
#
# Authors: Artur Penttinen
#          Yaroslav O. Halchenko

7. Save and go back to point 3.

8. Click on "Add jail" and complete the form with the new filter, and this action on the textarea:

   iptables-multiport[name="mysqld-auth", port="http,https,3306"]

*Add all the ports you want...

9. Set your MySQL log location, in my case /var/log/mysql/error.log
10. Make sure the new jail is activated, if don't activate it.

The next steps is up to you...

Save and try to hack yourself seeing the fail2ban logs:

tail -f /var/log/fail2ban.log