On 7/14/2015 9:04 PM, Bob Cohen wrote: > There’s a well known DDoS attack against Wordpress which goes after a file in > the core system called xmlrpc.php. I modeled the jail after my successful > wp-auth set up. It doesn’t seem to work. > > kill-xmlrpc.conf > ----------------- > [Definition] > failregex = ^<HOST> .* "POST .*xmlrpc.php HTTP/1.1" ... > This is what I see in my access log. > > 89.248.171.135 - - [14/Jul/2015:21:59:09 -0400] "POST /xmlrpc.php HTTP/1.0" > 403 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 89.248.171.135 - - [14/Jul/2015:21:59:10 -0400] "POST /xmlrpc.php HTTP/1.0" > 403 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" > 89.248.171.135 - - [14/Jul/2015:21:59:25 -0400] "POST /xmlrpc.php HTTP/1.0" > 403 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)” > > I tested the regex. It looks okay, I think.
No, your regex has "HTTP/1.1", but the log has "HTTP/1.0", hence it doesn't match. You should probably cut the whole tail of that regex. -- René Berber
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
