[Fail2ban-users] Apache-auth regular expression.

allanit Sun, 20 Sep 2015 10:28:11 -0700

I have fail2ban 0.8.14 installed on Ubuntu 14.04.2.My apache-auth jail is not 
banning. I think I have narrowed this down to the regular expression. Below is 
a line form my apache error log but the apache-auth jail does not ban it even 
though it appears 10 times in 30 minutes when the maxretry = 4 and the findtime 
= 21600 or 6 hours.[Sun Sep 20 14:16:29.813946 2015] [authz_core:error] [pid 
31999] [client 80.252.153.69:18384] AH01630: client denied by server 
configuration: 
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer: 
http://myserver.com/google-analytics-vs-awstats-or-webalizer/Can someone who is 
good with regular expressions let me know if this regular expression should 
match the log entry above or if it looks like it could be something 
else?^%(_apache_error_client)s (AH(01797|01630): )?client denied by server 
configuration: (uri )?\S*\s*$ Thanks in advance. Below is my complete 
configuration for the apache-auth.[apache-auth]# I set to true to seeenable
 d = trueport    = http,httpsfilter    = apache-auth#logpath = 
/var/log/apache*/*error.loglogpath = /var/log/virtualmin/*_error_log# Search 
past 6 hourfindtime = 21600# Ban for 2 hoursbantime = 7200maxretry = 
4apache-auth.conf# Fail2Ban apache-auth filter#[INCLUDES]# Read common 
prefixes. If any customizations available -- read them from# 
apache-common.localbefore = apache-common.conf[Definition]failregex = 
^%(_apache_error_client)s (AH(01797|01630): )?client denied by server 
configuration: (uri )?\S*\s*$        ^%(_apache_error_client)s (AH01617: )?user 
.* authentication failure for "\S*": Password Mismatch$        
^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$        
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: 
\S*\s*$        ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to 
access \S* failed, reason: .*$        ^%(_apache_error_client)s (AH0179[24]: 
)?(Digest: )?user .*: password mismatch: \S*\s*$        ^%(_apa
 che_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not 
found|denied by provider): \S*\s*$        ^%(_apache_error_client)s (AH01631: 
)?user .*: authorization failure for "\S*":\s*$        
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - 
length is not \S+\s*$        ^%(_apache_error_client)s (AH01788: )?(Digest: 
)?realm mismatch - got `.*' but expected `.+'\s*$        
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' 
received: \S*\s*$        ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' 
received: \S*\s*$        ^%(_apache_error_client)s (AH01777: )?(Digest: 
)?invalid nonce .* received - user attempted time travel\s*$ignoreregex =# DEV 
Notes:## This filter matches the authorization failures of Apache. It takes the 
log messages# from the modules in aaa that return HTTP_UNAUTHORIZED, 
HTTP_METHOD_NOT_ALLOWED or# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or 
HTTP_INTERNAL_SERVER_ERROR.## An unauthorized response 401
  is the first step for a browser to instigate authentication# however apache 
doesn't log this as an error. Only subsequent errors are logged in the# error 
log.## Source:## By searching the code in 
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*# for 
ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should 
get# all of these expressions. Lots of submodules like mod_authz_* return back 
to mod_authz_core# to return the actual failure.## See also: 
http://wiki.apache.org/httpd/ListOfErrors# Expressions that don't have tests 
and aren't common.# more be added with 
https://issues.apache.org/bugzilla/show_bug.cgi?id=55284#     
^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds 
old - max lifetime [\d.]+\) - sending new nonce\s*$#     
^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - 
sending new nonce\s*$#     ^%(_apache_error_client)s (AH02486: )?realm mismatch 
- got `.*' but no realm specified\s*$## Author: C
 yril Jaquier# Major edits by Daniel Blackerror Log file[Sun Sep 20 
16:56:09.214042 2015] [authz_core:error] [pid 31999] [client 
80.252.153.69:52200] AH01630: client denied by server configuration: 
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer: 
http://myserver.com/google-analytics-vs-awstats-or-webalizer/[Sun Sep 20 
16:56:10.251961 2015] [authz_core:error] [pid 6581] [client 
80.252.153.69:52254] AH01630: client denied by server configuration: 
/home/myserver/public_html/, referer: 
http://myserver.com/google-analytics-vs-awstats-or-webalizer/[Sun Sep 20 
16:56:11.390328 2015] [authz_core:error] [pid 5580] [client 
80.252.153.69:52309] AH01630: client denied by server configuration: 
/home/myserver/public_html/, referer: http://myserver.com/[Sun Sep 20 
16:56:12.471485 2015] [authz_core:error] [pid 15976] [client 
80.252.153.69:52360] AH01630: client denied by server configuration: 
/home/myserver/public_html/, referer: http://myserver.com/[Sun Sep 20 17:08:57.7
 36345 2015] [authz_core:error] [pid 8361] [client 80.252.153.69:24040] 
AH01630: client denied by server configuration: 
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer: 
http://myserver.com/google-analytics-vs-awstats-or-webalizer/[Sun Sep 20 
17:08:58.840087 2015] [authz_core:error] [pid 15974] [client 
80.252.153.69:24082] AH01630: client denied by server configuration: 
/home/myserver/public_html/, referer: 
http://myserver.com/google-analytics-vs-awstats-or-webalizer/[Sun Sep 20 
17:08:59.959748 2015] [authz_core:error] [pid 32002] [client 
80.252.153.69:24149] AH01630: client denied by server configuration: 
/home/myserver/public_html/, referer: http://myserver.com/[Sun Sep 20 
17:09:01.025283 2015] [authz_core:error] [pid 6581] [client 
80.252.153.69:24195] AH01630: client denied by server configuration: 
/home/myserver/public_html/, referer: http://myserver.com/[Sun Sep 20 
17:24:41.728256 2015] [authz_core:error] [pid 15977] [client 
80.252.153.69:1426] AH0163
 0: client denied by server configuration: 
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer: 
http://myserver.com/google-analytics-vs-awstats-or-webalizer/[Sun Sep 20 
17:24:42.748861 2015] [authz_core:error] [pid 12339] [client 
80.252.153.69:1472] AH01630: client denied by server configuration: 
/home/myserver/public_html/, referer: 
http://myserver.com/google-analytics-vs-awstats-or-webalizer/

------------------------------------------------------------------------------

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] Apache-auth regular expression.

Reply via email to