How to protect your Joomla instance from brute force attacks with Fail2ban

Mon 31 March 2014

If you administer at least one Joomla instance you’ll be subject to brute force attacks before or after. Fail2ban is a very nice service written in Python which periodically scans your log files looking for signs of brute force attacks and perform some actions when an attack is discovered. The most common actions is to ban the attacker IP at firewall level and send an email to the server administrator.

Fail2ban comes bundled with filters for many common services (ssh, apache authentication, etc.), but it lacks a built-in Joomla integration. Anyway it’s easy to add a Joomla filter to Fail2ban, here I explain how to do it.

Install Fail2ban

Installing fail2ban in a Debian based server is as simple as issuing the following command:

$ apt-get install fail2ban

Configuring Fail2ban properly is out of scope of this howto, you can find many resources online and in the official Fail2ban wiki.

Install Fail2ban Joomla plugin

To ease the integration of Fail2ban with Joomla authentication system you can install a Joomla fail2ban plugin using the standard Joomla plugin installation mechanism. This plugin logs Joomla authentication errors in the standard web server error log. There it will be easy for Fail2ban to scan for errors and ban the attackers IPs.

After installing and activating the plugin you’ll find something like this in your web server error log when user authentication fails in Joomla:

/var/log/apache2/mywebsite_error.log:[Mon Mar 31 10:13:58 2014] [error] [client] user mywebsite authentication failure

Fail2ban configuration

Save this Fail2ban filter in a file called joomla-error.conf and save it in /etc/fail2ban/filters.d:


# Option: failregex
# Notes.: matches something like:
# [Mon Mar 31 10:15:00 2014] [error] [client] user mywebsite authentication failure
# Values: TEXT
failregex = [[]client <HOST>[]] user .* authentication failure.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

Add this jail to your /etc/fail2ban/jail.local:

enabled = true
port = http,https
filter = joomla-error
logpath = /var/log/apache2/*error.log
maxretry = 5

Reload fail2ban configuration with:

$ fail2ban-client reload

Be happy when an attacker gets banned

If you configured Fail2ban to send you an email when an attacker is banned you’ll receive an email with a text similar to the following:

The IP has just been banned by Fail2Ban after 5 attempts against joomla-error.

The attacker IP here is left on purpose. I think it’s useful to expose attackers IP in public! 😉