==================================================================
Please DO NOT REPLY to this mail or send email to the developers
about this bug. Please follow-up to Bugzilla using this link:
http://bugs.contribs.org/show_bug.cgi?id=8071
Have you checked the Frequently Asked Questions (FAQ)?
http://wiki.contribs.org/SME_Server:Documentation:FAQ
Please also take the time to read the following useful guide:
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
==================================================================
Bug ID: 8071
Summary: Fail2ban - Modification request for apache-scan.conf
filter
Classification: Contribs
Product: SME Contribs
Version: 8.0
Hardware: ---
OS: ---
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: smeserver-fail2ban
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
Hi all,
This is not really a bug but just a "cosmetic modification" about
/etc/fail2ban/filter.d/apache-scan.conf.
Daniel Berteaud or maybe another maintener of this contrib could make some
change in it because of scan of this type in /var/log/httpd/error_log:
[error] [client 178.82.255.236] script not found or unable to stat:
/home/e-smith/files/ibays/.../cgi-bin/php
[Thu Dec 19 07:50:15 2013] [error] [client 178.82.255.236] script not found or
unable to stat: /home/e-smith/files/ibays/.../cgi-bin/php5
[Thu Dec 19 07:50:16 2013] [error] [client 178.82.255.236] script not found or
unable to stat: /home/e-smith/files/ibays/.../cgi-bin/php-cgi
[Thu Dec 19 07:50:16 2013] [error] [client 178.82.255.236] script not found or
unable to stat: /home/e-smith/files/ibays/.../cgi-bin/php.cgi
[Thu Dec 19 07:50:16 2013] [error] [client 178.82.255.236] script not found or
unable to stat: /home/e-smith/files/ibays/.../cgi-bin/php4
My solution was to edit apache-scan.conf and to add
at the end of re_various
|php\-cgi|php\.cgi|php*
and at failregex
\[client <HOST>\] script not found or unable to stat:
.*\/(%(re_pma)s|%(re_admin)s|%(re_proxy)s|%(re_various)s)$
And when I did :
fail2ban-regex /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-scan.conf
before :
Summary
=======
Addresses found:
[1]
208.93.238.166 (Mon Dec 16 02:25:37 2013)
69.158.120.86 (Wed Dec 18 03:01:23 2013)
69.158.120.86 (Wed Dec 18 03:01:23 2013)
69.158.120.86 (Wed Dec 18 03:01:24 2013)
Date template hits:
2281 hit(s): MONTH Day Hour:Minute:Second
Success, the total number of match is 4
after :
Summary
=======
Addresses found:
[1]
208.93.238.166 (Mon Dec 16 02:25:37 2013)
69.158.120.86 (Wed Dec 18 03:01:23 2013)
69.158.120.86 (Wed Dec 18 03:01:23 2013)
69.158.120.86 (Wed Dec 18 03:01:24 2013)
[2]
54.196.20.78 (Sun Dec 15 03:49:23 2013)
54.196.20.78 (Sun Dec 15 03:49:23 2013)
54.196.20.78 (Sun Dec 15 03:49:24 2013)
54.242.184.184 (Sun Dec 15 04:10:03 2013)
54.242.184.184 (Sun Dec 15 04:10:03 2013)
54.242.184.184 (Sun Dec 15 04:10:04 2013)
62.193.224.34 (Sun Dec 15 14:29:00 2013)
62.193.224.34 (Sun Dec 15 14:29:00 2013)
62.193.224.34 (Sun Dec 15 14:29:00 2013)
184.169.142.152 (Sun Dec 15 20:07:39 2013)
184.169.142.152 (Sun Dec 15 20:07:43 2013)
184.169.142.152 (Sun Dec 15 20:07:43 2013)
64.37.58.2 (Mon Dec 16 01:00:17 2013)
64.37.58.2 (Mon Dec 16 01:00:18 2013)
64.37.58.2 (Mon Dec 16 01:00:18 2013)
192.151.144.234 (Mon Dec 16 02:12:42 2013)
40.143.44.5 (Mon Dec 16 08:23:53 2013)
40.143.44.5 (Mon Dec 16 08:23:53 2013)
40.143.44.5 (Mon Dec 16 08:23:54 2013)
40.143.44.5 (Mon Dec 16 11:04:25 2013)
40.143.44.5 (Mon Dec 16 11:04:26 2013)
40.143.44.5 (Mon Dec 16 11:04:26 2013)
174.143.153.101 (Mon Dec 16 12:04:55 2013)
174.143.153.101 (Mon Dec 16 12:04:56 2013)
174.143.153.101 (Mon Dec 16 12:04:57 2013)
23.21.154.137 (Mon Dec 16 12:07:35 2013)
23.21.154.137 (Mon Dec 16 12:07:36 2013)
23.21.154.137 (Mon Dec 16 12:07:37 2013)
192.151.144.234 (Mon Dec 16 15:19:58 2013)
217.146.99.46 (Mon Dec 16 16:20:01 2013)
217.146.99.46 (Mon Dec 16 16:20:02 2013)
217.146.99.46 (Mon Dec 16 16:20:02 2013)
192.151.144.234 (Mon Dec 16 19:16:56 2013)
84.253.46.225 (Mon Dec 16 20:42:17 2013)
84.253.46.225 (Mon Dec 16 20:42:17 2013)
84.253.46.225 (Mon Dec 16 20:42:17 2013)
54.204.216.180 (Mon Dec 16 23:20:39 2013)
54.204.216.180 (Mon Dec 16 23:20:40 2013)
54.204.216.180 (Mon Dec 16 23:20:40 2013)
50.17.216.179 (Mon Dec 16 23:59:21 2013)
50.17.216.179 (Mon Dec 16 23:59:22 2013)
50.17.216.179 (Mon Dec 16 23:59:22 2013)
50.16.66.23 (Tue Dec 17 03:18:46 2013)
50.16.66.23 (Tue Dec 17 03:18:46 2013)
50.16.66.23 (Tue Dec 17 03:18:46 2013)
62.193.224.34 (Tue Dec 17 09:33:58 2013)
62.193.224.34 (Tue Dec 17 09:33:58 2013)
62.193.224.34 (Tue Dec 17 09:33:58 2013)
107.20.207.67 (Tue Dec 17 13:26:29 2013)
107.20.207.67 (Tue Dec 17 13:26:29 2013)
107.20.207.67 (Tue Dec 17 13:26:29 2013)
176.31.46.176 (Tue Dec 17 17:30:16 2013)
176.31.46.176 (Tue Dec 17 17:30:16 2013)
176.31.46.176 (Tue Dec 17 17:30:16 2013)
107.22.163.227 (Tue Dec 17 22:04:11 2013)
107.22.163.227 (Tue Dec 17 22:04:15 2013)
107.22.163.227 (Tue Dec 17 22:04:15 2013)
54.225.11.80 (Wed Dec 18 07:20:58 2013)
54.225.11.80 (Wed Dec 18 07:20:58 2013)
54.225.11.80 (Wed Dec 18 07:20:59 2013)
94.228.180.218 (Wed Dec 18 15:24:37 2013)
94.228.180.218 (Wed Dec 18 15:24:38 2013)
94.228.180.218 (Wed Dec 18 15:24:38 2013)
178.82.255.236 (Thu Dec 19 07:50:15 2013)
178.82.255.236 (Thu Dec 19 07:50:16 2013)
178.82.255.236 (Thu Dec 19 07:50:16 2013)
Date template hits:
3106 hit(s): MONTH Day Hour:Minute:Second
Success, the total number of match is 70
but maybe it is not the best solution or the solution is in another fail2ban
filter or you could do it more efficiency ;-)
Regards
Xavier
P.S.: I use an custom Kernel+Iptables with GeoIp Addons for this web server so
I get just european or US/CA IP
--
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at http://lists.contribs.org/mailman/public/contribteam/
